analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

shipment_trackinginfo.jar.zip

Full analysis: https://app.any.run/tasks/5f94d880-0a44-4570-9ee2-fb01cbe05192
Verdict: Malicious activity
Analysis date: May 30, 2020, 12:41:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CFF9ACAF3513569D22F529D8488F3AD7

SHA1:

77FA4EA65D7E81CF7822B4E089A3AE5782F81078

SHA256:

B54C63A8A13CA20B989AB1CEAE7AF367B4BD337C075AD42E2A06E54CB962725C

SSDEEP:

6144:UBWC+zZYdGGoGaYAr2Ywl/ywO0krqG4guH78c6X6uSnTMJbEGVxAeGQ:UBWBZYRoUEGbONDxK7nMZHAen

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • javaw.exe (PID: 1556)
    • Changes the autorun value in the registry

      • REG.exe (PID: 3792)
    • Loads dropped or rewritten executable

      • javaw.exe (PID: 1556)
    • Actions looks like stealing of personal data

      • javaw.exe (PID: 1556)
  • SUSPICIOUS

    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 584)
      • javaw.exe (PID: 1556)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 584)
      • javaw.exe (PID: 1556)
    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 1556)
    • Creates files in the user directory

      • javaw.exe (PID: 1556)
    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 1556)
  • INFO

    • Manual execution by user

      • javaw.exe (PID: 1556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2020:05:29 04:13:25
ZipCRC: 0xf20941be
ZipCompressedSize: 336095
ZipUncompressedSize: 391463
ZipFileName: shipment_trackinginfo.jar
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe javaw.exe reg.exe attrib.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
584"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\shipment_trackinginfo.jar.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1556"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\shipment_trackinginfo.jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3792REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "shipment_trackinginfo.jar" /d "C:\Users\admin\AppData\Roaming\shipment_trackinginfo.jar" /fC:\Windows\system32\REG.exe
javaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3884attrib +H C:\Users\admin\AppData\Roaming\shipment_trackinginfo.jarC:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3980attrib +H C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipment_trackinginfo.jarC:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
855
Read events
828
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
1556javaw.exeC:\Users\admin\AppData\Local\Temp\JNativeHook-7153438308218788367.dll
MD5:
SHA256:
1556javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipment_trackinginfo.jarexecutable
MD5:48A5714147EE85374AB74174A82AB77A
SHA256:E7C36E5ED6E3B409A20CE37D4604EFB2D69BA7C146996CA8F1C0C1BCD72E81A0
584WinRAR.exeC:\Users\admin\Desktop\shipment_trackinginfo.jarexecutable
MD5:48A5714147EE85374AB74174A82AB77A
SHA256:E7C36E5ED6E3B409A20CE37D4604EFB2D69BA7C146996CA8F1C0C1BCD72E81A0
1556javaw.exeC:\Users\admin\AppData\Roaming\shipment_trackinginfo.jarexecutable
MD5:48A5714147EE85374AB74174A82AB77A
SHA256:E7C36E5ED6E3B409A20CE37D4604EFB2D69BA7C146996CA8F1C0C1BCD72E81A0
1556javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:51A8E862B05C5F06BDABF51B980DCCEE
SHA256:7E0056D2B10EF5A38361FD2A20EDCD349106F193360E10F51650EF1DC323625E
1556javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
1556javaw.exeC:\Users\admin\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dllexecutable
MD5:B4CE035F926531D6B4DFA8477C6477E4
SHA256:F6FFEAD3B5F3DB5A7A00D1FEF874C3D3ED7ECF095DA2D981EBD691FDFA685716
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1556
javaw.exe
91.92.136.52:9090
BelCloud Hosting Corporation
BG
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1556
javaw.exe
Generic Protocol Command Decode
SURICATA Applayer Wrong direction first Data
No debug info