File name:

iCapture.jnlp

Full analysis: https://app.any.run/tasks/39b7b7dc-9eb0-402e-8ad5-77ce91138b0a
Verdict: Malicious activity
Analysis date: November 08, 2018, 12:53:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with CRLF line terminators
MD5:

374C3C4F82E4B9DACDD47DDBEB3F75CC

SHA1:

9630D19478A97135E7FD926995837CE75F2AA73D

SHA256:

D5E48BEC5F07FC3FB83B5ED2D1CC8F0C13AE233980250FE99F0EA8817B7E6B3C

SSDEEP:

24:2daMgR4BIpU2p4Fa8jGPAZkLgYUzY4HBEQsR4BoVEsR4BoZom9zvn:caYB4uPBEQDBoyDBoZomJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Check for Java to be installed

      • javaws.exe (PID: 3672)

    • Executes JAVA applets

      • javaws.exe (PID: 3672)

    • Application launched itself

      • javaws.exe (PID: 3672)

    • Creates files in the user directory

      • jp2launcher.exe (PID: 1264)

    • Connects to unusual port

      • jp2launcher.exe (PID: 1264)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jnlp | Java Web Start application descriptor (88.3)
.xml | Generic XML (ASCII) (11.6)

EXIF

XMP

JnlpSpec: 1.0+
JnlpCodebase: https://remotedeposit.myfirstfarmers.com:8443/iCapWeb
JnlpHref: iCapture.jnlp
JnlpInformationTitle: iCapture Thin Client
JnlpInformationVendor: SEI 3.2.12.5
JnlpInformationHomepageHref: http://www.softwareearnings.com
JnlpInformationDescription: iCapture Thin Client
JnlpInformationDescriptionKind: short
JnlpInformationOffline-allowed: -
JnlpSecurityAll-permissions: -
JnlpResourcesOs: Windows
JnlpResourcesJ2seVersion: 1.6+
JnlpResourcesJ2seHref: http://java.sun.com/products/autodl/j2se
JnlpResourcesJarHref: sThinClient.jar
JnlpResourcesJarMain:
JnlpApplication-descMain-class: com.sei.swing.client.MainFrame
JnlpApplication-descArgument: remotedeposit.myfirstfarmers.com
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaws.exe no specs javaw.exe no specs javaw.exe no specs javaw.exe no specs javaws.exe jp2launcher.exe

Process information

PID
CMD
Path
Indicators
Parent process
1264"C:\Program Files\Java\jre1.8.0_92\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_92" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfOTJcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF85MlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF85MlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURqbmxweC5vcmlnRmlsZW5hbWVBcmc9QzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXGlDYXB0dXJlLmpubHAALURqbmxweC5yZW1vdmU9dHJ1ZQAtRHN1bi5hd3Qud2FybXVwPXRydWUALVhib290Y2xhc3NwYXRoL2E6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzkyXGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF85MlxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfOTJcbGliXHBsdWdpbi5qYXIALURqbmxweC5zcGxhc2hwb3J0PTQ5MjIyAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF85MlxiaW5camF2YXcuZXhl -ma QzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXGphdmF3czI=C:\Program Files\Java\jre1.8.0_92\bin\jp2launcher.exe
javaws.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Web Launcher
Exit code:
0
Version:
11.92.2.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\jp2launcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\progra~1\java\jre18~1.0_9\bin\msvcr100.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2584"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_9\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.11.92.2" "later"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exejavaws.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2908"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_9\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.timestamp.11.92.2" "1541681623"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exejavaws.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3304"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_9\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.suppression.11.92.2" "false"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exejavaws.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3668JavaWSSplashScreen -splash 49220 "C:\Program Files\Java\jre1.8.0_92\lib\deploy\splash.gif"C:\Program Files\Java\jre1.8.0_92\bin\javaws.exe
javaws.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Web Start Launcher
Exit code:
0
Version:
11.92.2.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaws.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3672"C:\Program Files\Java\jre1.8.0_92\bin\javaws.exe" "C:\Users\admin\AppData\Local\Temp\iCapture.jnlp"C:\Program Files\Java\jre1.8.0_92\bin\javaws.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Web Start Launcher
Exit code:
0
Version:
11.92.2.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaws.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
214
Read events
104
Write events
100
Delete events
10

Modification events

(PID) Process:(2584) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:delete keyName:
Value:
(PID) Process:(2584) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:writeName:deployment.modified.timestamp
Value:
1535457890299
(PID) Process:(2908) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:delete keyName:
Value:
(PID) Process:(2908) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:writeName:deployment.modified.timestamp
Value:
1541681623235
(PID) Process:(2908) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:writeName:deployment.roaming.profile
Value:
false
(PID) Process:(2908) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:writeName:deployment.version
Value:
8
(PID) Process:(2908) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:writeName:deployment.expiration.decision.11.92.2
Value:
later
(PID) Process:(2908) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:writeName:deployment.expired.version
Value:
11.92.2
(PID) Process:(2908) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:writeName:deployment.browser.path
Value:
C:\Program Files\Internet Explorer\iexplore.exe
(PID) Process:(2908) javaw.exeKey:HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
Operation:writeName:deployment.expiration.decision.timestamp.11.92.2
Value:
1541681623
Executable files
10
Suspicious files
4
Text files
30
Unknown types
33

Dropped files

PID
Process
Filename
Type
2584javaw.exeC:\Users\admin\AppData\Local\Temp\JavaDeployReg.log
MD5:
SHA256:
1264jp2launcher.exeC:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\202866f-7e344805-temp
MD5:
SHA256:
2908javaw.exeC:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\deployment.propertiestext
MD5:
SHA256:
1264jp2launcher.exeC:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\1738982d-27035a25-temp
MD5:
SHA256:
2908javaw.exeC:\Users\admin\AppData\Local\Temp\JavaDeployReg.logtext
MD5:
SHA256:
3304javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
1264jp2launcher.exeC:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\743d94ab-31db7f2c-temp
MD5:
SHA256:
3304javaw.exeC:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\deployment.propertiestext
MD5:
SHA256:
3304javaw.exeC:\Users\admin\AppData\Local\Temp\JavaDeployReg.logtext
MD5:
SHA256:
1264jp2launcher.exeC:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\6c1eef9b-7fb257ae-temp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
62
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1264
jp2launcher.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.74 Kb
whitelisted
1264
jp2launcher.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.74 Kb
whitelisted
1264
jp2launcher.exe
POST
200
93.184.220.29:80
http://status.geotrust.com/
US
der
471 b
whitelisted
1264
jp2launcher.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1264
jp2launcher.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.69 Kb
whitelisted
1264
jp2launcher.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.66 Kb
whitelisted
1264
jp2launcher.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.69 Kb
whitelisted
1264
jp2launcher.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.66 Kb
whitelisted
1264
jp2launcher.exe
POST
200
23.51.123.27:80
http://s2.symcb.com/
NL
der
1.71 Kb
whitelisted
1264
jp2launcher.exe
POST
200
23.37.43.27:80
http://sv.symcd.com/
NL
der
1.57 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1264
jp2launcher.exe
12.23.248.187:8443
remotedeposit.myfirstfarmers.com
AT&T Services, Inc.
US
unknown
1264
jp2launcher.exe
188.121.36.239:80
ocsp.godaddy.com
GoDaddy.com, LLC
NL
unknown
188.121.36.239:80
ocsp.godaddy.com
GoDaddy.com, LLC
NL
unknown
1264
jp2launcher.exe
184.31.87.231:443
javadl-esd-secure.oracle.com
Akamai International B.V.
NL
whitelisted
1264
jp2launcher.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1264
jp2launcher.exe
23.51.123.27:80
s2.symcb.com
Akamai Technologies, Inc.
NL
whitelisted
1264
jp2launcher.exe
23.37.43.27:80
sv.symcd.com
Akamai Technologies, Inc.
NL
whitelisted

DNS requests

Domain
IP
Reputation
remotedeposit.myfirstfarmers.com
  • 12.23.248.187
unknown
ocsp.godaddy.com
  • 188.121.36.239
whitelisted
javadl-esd-secure.oracle.com
  • 184.31.87.231
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
status.geotrust.com
  • 93.184.220.29
whitelisted
s2.symcb.com
  • 23.51.123.27
whitelisted
sv.symcd.com
  • 23.37.43.27
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
iCapture.jnlp