analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

OpenOSRS.jar

Full analysis: https://app.any.run/tasks/92be2260-9809-4828-b749-741b591d239b
Verdict: Malicious activity
Analysis date: August 08, 2020, 13:38:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

4068A28747EC907086E6CACCC2AD6DE1

SHA1:

634BDC2653FA37D87759A32BE65E71CD5C851441

SHA256:

CA76D6B9CC43FDA59A4450D501DA2FFD191B6B1A007D9F446C2A501FF7CB1631

SSDEEP:

49152:7pRrlMH6GNLi7KkPfAXUPspp6ZJGamX2tzts4tszvmNCpWXZtRkj8gju/59R71az:1HMaGN+PK/D6dEfdiQS/gj0N7u6vBXpy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • REG.exe (PID: 2296)

    • Loads dropped or rewritten executable

      • java.exe (PID: 4068)
      • java.exe (PID: 1516)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • java.exe (PID: 4068)
      • java.exe (PID: 1516)

    • Creates files in the user directory

      • javaw.exe (PID: 2760)
      • java.exe (PID: 4068)
      • java.exe (PID: 1452)

    • Executes JAVA applets

      • javaw.exe (PID: 2760)

    • Uses REG.EXE to modify Windows registry

      • java.exe (PID: 4068)

    • Application launched itself

      • java.exe (PID: 1452)

  • INFO

    • Manual execution by user

      • chrome.exe (PID: 3428)
      • cmd.exe (PID: 3004)
      • explorer.exe (PID: 1272)

    • Reads the hosts file

      • chrome.exe (PID: 3608)
      • chrome.exe (PID: 3428)

    • Application launched itself

      • chrome.exe (PID: 3428)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3608)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 3428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2020:05:20 15:03:22
ZipCRC: 0x1d5a56c9
ZipCompressedSize: 84
ZipUncompressedSize: 86
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
27
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start javaw.exe java.exe reg.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs chrome.exe no specs chrome.exe no specs java.exe java.exe

Process information

PID
CMD
Path
Indicators
Parent process
2760"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\OpenOSRS.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
4068java -jar C:\Users\admin\AppData\Roaming\WinRAR\java.jarC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
2296REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V java /t REG_SZ /F /D C:\Users\admin\AppData\Roaming\WinRAR\java.jarC:\Windows\system32\REG.exe
java.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3428"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2104"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6e3da9d0,0x6e3da9e0,0x6e3da9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3644"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3540 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2820"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,12186656279458529056,3771201382003576198,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7047251188897686267 --mojo-platform-channel-handle=1064 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3608"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1028,12186656279458529056,3771201382003576198,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=17409254101387804867 --mojo-platform-channel-handle=1652 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2332"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,12186656279458529056,3771201382003576198,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8388745935434101942 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2676"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,12186656279458529056,3771201382003576198,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14315262885277530353 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 221
Read events
1 100
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
50
Text files
99
Unknown types
5

Dropped files

PID
Process
Filename
Type
3428chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
MD5:
SHA256:
3428chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old
MD5:
SHA256:
3428chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\b2855bbc-8a45-49fc-ba3a-01e3c0884837.tmp
MD5:
SHA256:
3428chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000032.dbtmp
MD5:
SHA256:
2760javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:9269D8DB2E1F76C65CE99F86A97ABE91
SHA256:9DF4B92CBE2BF5C46C02DBF6AEF1D5C929C8957B67D546F72B1F522190C3FFFA
3428chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFe176c.TMPtext
MD5:988975E56D776333B46F1BCAE6967C0E
SHA256:22186F0422A02BE70860975EF688A895EEA653C3A7259FFBA9114138A544E05A
4068java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:4D7873FCB06F4D1965152727C35268EB
SHA256:F55D14ED7A427B0241FE007ED6F90D8EEDCB8DD5993E1D4D80C25256470D74E5
4068java.exeC:\Users\admin\AppData\Roaming\WinRAR\auth.keytext
MD5:5B6A3226840BA220396368B544EB04E8
SHA256:35A7F814C571CBF88AE8F7A9F4DC2C4D669F623D8757F7CB53B4BCC49DBFCDE6
3428chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabsbinary
MD5:0CE1FA0314D44178816BA5E7133E07DD
SHA256:8D81EC8C4EFED885A0FF9267B0B388FB53316938EEDCDFABDC697E3610883714
3428chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RFe17ba.TMPtext
MD5:142AFC7F980CB38310D0680F2E8907CF
SHA256:3D5E5DF95E28CF65C77882748077EC52706AF02F8D869E188B6D16F782F82F44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
65
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3608
chrome.exe
GET
302
198.187.31.49:80
http://open-osrs.com/
US
html
210 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4068
java.exe
185.224.137.108:443
rspshosting.site
malicious
2760
javaw.exe
198.187.31.49:443
open-osrs.com
Namecheap, Inc.
US
suspicious
185.224.137.108:443
rspshosting.site
malicious
3608
chrome.exe
172.217.23.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3608
chrome.exe
172.217.16.164:443
www.google.com
Google Inc.
US
whitelisted
3608
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
3608
chrome.exe
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3608
chrome.exe
216.58.205.227:443
www.gstatic.com
Google Inc.
US
whitelisted
3608
chrome.exe
198.187.31.49:80
open-osrs.com
Namecheap, Inc.
US
suspicious
3608
chrome.exe
216.58.207.78:443
apis.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
open-osrs.com
  • 198.187.31.49
suspicious
rspshosting.site
  • 185.224.137.108
malicious
clientservices.googleapis.com
  • 172.217.23.131
whitelisted
accounts.google.com
  • 172.217.16.141
shared
www.google.com
  • 172.217.16.164
whitelisted
fonts.googleapis.com
  • 172.217.16.170
whitelisted
www.gstatic.com
  • 216.58.205.227
whitelisted
fonts.gstatic.com
  • 216.58.212.163
whitelisted
apis.google.com
  • 216.58.207.78
whitelisted
ogs.google.com
  • 172.217.23.110
whitelisted

Threats

PID
Process
Class
Message
3608
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OpenOSRS.jar