Malware analysis CiscoWebExServlet (1) Malicious activity

Add for printing

File name:	CiscoWebExServlet (1)
Full analysis:	https://app.any.run/tasks/7d301656-7299-4feb-acce-14f8ac4f8555
Verdict:	Malicious activity
Analysis date:	July 18, 2019, 00:29:45
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
MD5:	6E9067B91644A2DA3DD14B68EEE49148
SHA1:	B3340C4E262670A362EE63A5B2BB68883C3FFF05
SHA256:	DD72D6F89F3281ECA34DAB728AE207457788030462A018E0C34640CB184F175A
SSDEEP:	24:2dzPZiaVHDGwylfPAZ8bZ9DVpwl0gDtprrJm:czPkSHuu8zVpwl0Up0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Application launched itself
  - javaws.exe (PID: 3852)
- Creates files in the user directory
  - jp2launcher.exe (PID: 2132)
- Check for Java to be installed
  - javaws.exe (PID: 3852)
- Executes JAVA applets
  - javaws.exe (PID: 3852)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.jnlp	\|	Java Web Start application descriptor (88.3)
.xml	\|	Generic XML (ASCII) (11.6)

EXIF

XMP

JnlpApplication-descArgument:	aHR0cHM6Ly9pYm0ud2ViZXguY29tL2libS9qbWZfd2ViLnBocD9BVD1UQyZjb25maWQ9MTIxODg5NjY4NDIyNzA3MjE2JnVpZD01NDA1MzUyNzcmZmxhZz0wfDAmam5scD0xJmVtYWM9U0RKVFN3QUFBQVFWYjVVdklUUEhULXFyZHBqek9QTUxRTHQxYlFEQlY1R3B0bi1zblhJT0lBMg==
JnlpApplication-descMain-class:	JDownload
JnlpResourcesJarMain:
JnlpResourcesJarHref:	atdwnld.jar
JnlpResourcesJ2seHref:	http://java.sun.com/products/autodl/j2se
JnlpResourcesJ2seVersion:	1.7+
JnlpSecurityAll-permissions:	-
JnlpUpdatePolicy:	always
JnlpUpdateCheck:	always
JnlpInformationOffline-allowed:	-
JnlpInformationVendor:	Cisco System, Inc.
JnlpInformationTitle:	WebEx Java-client
JnlpCodebase:	https://ibm.webex.com/client/T33L/javaclient/training/
JnlpSpec:	7.0+

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3852	"C:\Program Files\Java\jre1.8.0_92\bin\javaws.exe" "C:\Users\admin\AppData\Local\Temp\CiscoWebExServlet (1).jnlp"	C:\Program Files\Java\jre1.8.0_92\bin\javaws.exe	—	explorer.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Web Start Launcher Exit code: 0 Version: 11.92.2.14
2728	"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_9\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.11.92.2" "later"	C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe	—	javaws.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14
3760	"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_9\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.timestamp.11.92.2" "1563409815"	C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe	—	javaws.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14
3476	"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_9\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.suppression.11.92.2" "false"	C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe	—	javaws.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14
2224	JavaWSSplashScreen -splash 49287 "C:\Program Files\Java\jre1.8.0_92\lib\deploy\splash.gif"	C:\Program Files\Java\jre1.8.0_92\bin\javaws.exe		javaws.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Web Start Launcher Exit code: 0 Version: 11.92.2.14
2132	"C:\Program Files\Java\jre1.8.0_92\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_92" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfOTJcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF85MlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF85MlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURqbmxweC5vcmlnRmlsZW5hbWVBcmc9QzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXENpc2NvV2ViRXhTZXJ2bGV0ICgxKS5qbmxwAC1Eam5scHgucmVtb3ZlPXRydWUALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF85MlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfOTJcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzkyXGxpYlxwbHVnaW4uamFyAC1Eam5scHguc3BsYXNocG9ydD00OTI4OQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfOTJcYmluXGphdmF3LmV4ZQ== -ma QzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXGphdmF3czI=	C:\Program Files\Java\jre1.8.0_92\bin\jp2launcher.exe		javaws.exe
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Web Launcher Exit code: 0 Version: 11.92.2.14

Add for printing

Total events

187

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2132	jp2launcher.exe	C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\1e4433da-3b5c8cd8-temp		—
		MD5:—	SHA256:—
2132	jp2launcher.exe	C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\615a51ff-77016488-temp		—
		MD5:—	SHA256:—
3476	javaw.exe	C:\Users\admin\AppData\Local\Temp\JavaDeployReg.log		text
		MD5:A351CCBE19ECE898513B901B09AB70F0	SHA256:9E2CA8365D525CD77346063011EA1C5FD85F73C3BD7C338858EEC5921C2AC644
2132	jp2launcher.exe	C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\1e4433da-3b5c8cd8		xml
		MD5:6E9067B91644A2DA3DD14B68EEE49148	SHA256:DD72D6F89F3281ECA34DAB728AE207457788030462A018E0C34640CB184F175A
2728	javaw.exe	C:\Users\admin\AppData\Local\Temp\JavaDeployReg.log		text
		MD5:A3C243C01A903D431C573E78AD03FDE6	SHA256:B966C32D08293797B33BC494633F79144C50C5A0C35F666EE136DF92379EF26E
2132	jp2launcher.exe	C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\615a51ff-77016488		java
		MD5:AF78469FA4AE5455EF5BBF6CD0E5A110	SHA256:DB03836F92B718BDF9E511971E706D996D3E639701D28B109E86E804B29F1F5F
2132	jp2launcher.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:3C4A00F2D8C47D26AE103EF1AA217B66	SHA256:D69328141257CA1A4B49ED9A6B3A4E73101E823F9FEAC4DEADDF38A430081DCD
3476	javaw.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:879DF8A2A1C4E2E9B0FB0876B1812A89	SHA256:CDAB810D7F81C863C3242857643E943DB4BFB0C6A5B9EE017564562711F1FBF5
2132	jp2launcher.exe	C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\1e4433da-8470fc9fb704f22a088d390558fe23d936b61a176b55121f8b4bc39716cfc714-6.0.lap		text
		MD5:69DBB913ECBA11AD77BE765A5FA4E6A5	SHA256:8077370C49BDF72407D5D9141E44F2FB1B83BBC964B502E368DF0F1ECFC53E50
2728	javaw.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		text
		MD5:ECF75EBD38863F229A39DD29BC27D3E3	SHA256:5A71FC7E957C5DE9B40390D0C0F059803D3477371CA088C5CAE4934C8CD5D9C0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2132	jp2launcher.exe	POST	200	35.158.10.169:80	http://ocsp.quovadisglobal.com/	DE	der	1.80 Kb	whitelisted
2132	jp2launcher.exe	POST	200	23.37.43.27:80	http://sv.symcd.com/	NL	der	1.57 Kb	shared
2132	jp2launcher.exe	POST	200	35.158.10.169:80	http://ocsp.quovadisglobal.com/	DE	der	1.78 Kb	whitelisted
2132	jp2launcher.exe	POST	200	23.37.43.27:80	http://s2.symcb.com/	NL	der	1.71 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2132	jp2launcher.exe	35.158.10.169:80	ocsp.quovadisglobal.com	Amazon.com, Inc.	DE	whitelisted
2132	jp2launcher.exe	66.114.168.199:443	ibm.webex.com	Cisco Webex LLC	US	unknown
2132	jp2launcher.exe	23.37.43.27:80	s2.symcb.com	Akamai Technologies, Inc.	NL	whitelisted

DNS requests

Domain	IP	Reputation
ibm.webex.com	66.114.168.199	unknown
ocsp.quovadisglobal.com	35.158.10.169	whitelisted
s2.symcb.com	23.37.43.27	whitelisted
sv.symcd.com	23.37.43.27	shared

Threats

No threats detected

Add for printing

No debug info

General Info

CiscoWebExServlet (1)

6E9067B91644A2DA3DD14B68EEE49148

B3340C4E262670A362EE63A5B2BB68883C3FFF05

DD72D6F89F3281ECA34DAB728AE207457788030462A018E0C34640CB184F175A

24:2dzPZiaVHDGwylfPAZ8bZ9DVpwl0gDtprrJm:czPkSHuu8zVpwl0Up0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Application launched itself

Creates files in the user directory

Check for Java to be installed

Executes JAVA applets

INFO

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings