File name: | shipment~trackinginfo.jar |
Full analysis: | https://app.any.run/tasks/df12ff3a-ee17-46c6-860d-1a9ca54c6416 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | May 30, 2020, 12:37:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Software Update for Web Folders (English) 14, Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Release, Comments: This Installer database contains the logic and data required to install Microsoft Software Update for Web Folders (English) 14., Template: Intel;1033, Revision Number: {D09D1C77-A5D3-48C0-B530-C9C18BAF2545}, Create Time/Date: Tue Mar 30 18:26:02 2010, Last Saved Time/Date: Tue Mar 30 18:26:02 2010, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.0.5419.0), Security: 2 |
MD5: | 48A5714147EE85374AB74174A82AB77A |
SHA1: | 0013477C69C58AFEEF76436164A2DE0EB29459BE |
SHA256: | E7C36E5ED6E3B409A20CE37D4604EFB2D69BA7C146996CA8F1C0C1BCD72E81A0 |
SSDEEP: | 6144:01kCxZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+WQ:06CxZNNNzbCClCA+jp02GmWhJnav5jUf |
.msi | | | Microsoft Windows Installer (88.6) |
---|---|---|
.mst | | | Windows SDK Setup Transform Script (10) |
.msi | | | Microsoft Installer (100) |
Security: | Read-only recommended |
---|---|
Software: | Windows Installer XML (3.0.5419.0) |
Words: | 2 |
Pages: | 200 |
ModifyDate: | 2010:03:30 17:26:02 |
CreateDate: | 2010:03:30 17:26:02 |
RevisionNumber: | {D09D1C77-A5D3-48C0-B530-C9C18BAF2545} |
Template: | Intel;1033 |
Comments: | This Installer database contains the logic and data required to install Microsoft Software Update for Web Folders (English) 14. |
Keywords: | Installer, MSI, Database, Release |
Author: | Microsoft Corporation |
Subject: | Microsoft Software Update for Web Folders (English) 14 |
Title: | Installation Database |
CodePage: | Windows Latin 1 (Western European) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2172 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\shipment~trackinginfo.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | explorer.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2476 | REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "shipment~trackinginfo.jar" /d "C:\Users\admin\AppData\Roaming\shipment~trackinginfo.jar" /f | C:\Windows\system32\REG.exe | javaw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1932 | attrib +H C:\Users\admin\AppData\Roaming\shipment~trackinginfo.jar | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2304 | attrib +H C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipment~trackinginfo.jar | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2476) REG.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | shipment~trackinginfo.jar |
Value: C:\Users\admin\AppData\Roaming\shipment~trackinginfo.jar | |||
(PID) Process: | (2172) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: javaw.exe | |||
(PID) Process: | (2172) javaw.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2172) javaw.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\NetworkExplorer.dll,-1 |
Value: Network |
PID | Process | Filename | Type | |
---|---|---|---|---|
2172 | javaw.exe | C:\Users\admin\AppData\Local\Temp\JNativeHook-3602086412565743411.dll | — | |
MD5:— | SHA256:— | |||
2172 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipment~trackinginfo.jar | executable | |
MD5:48A5714147EE85374AB74174A82AB77A | SHA256:E7C36E5ED6E3B409A20CE37D4604EFB2D69BA7C146996CA8F1C0C1BCD72E81A0 | |||
2172 | javaw.exe | C:\Users\admin\AppData\Roaming\shipment~trackinginfo.jar | executable | |
MD5:48A5714147EE85374AB74174A82AB77A | SHA256:E7C36E5ED6E3B409A20CE37D4604EFB2D69BA7C146996CA8F1C0C1BCD72E81A0 | |||
2172 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:E90D847A13617005AFE0B92F10139B14 | SHA256:2AE34BAD476EC7EBC451AA1E2955EB11F9EFD65BD38C4483269A747EF0E8D62E | |||
2172 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 | |||
2172 | javaw.exe | C:\Users\admin\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll | executable | |
MD5:B4CE035F926531D6B4DFA8477C6477E4 | SHA256:F6FFEAD3B5F3DB5A7A00D1FEF874C3D3ED7ECF095DA2D981EBD691FDFA685716 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2172 | javaw.exe | 91.92.136.52:9090 | — | BelCloud Hosting Corporation | BG | malicious |
PID | Process | Class | Message |
---|---|---|---|
2172 | javaw.exe | Generic Protocol Command Decode | SURICATA Applayer Wrong direction first Data |
2172 | javaw.exe | A Network Trojan was detected | AV TROJAN Trojan.Java.Ratty.a CnC Checkin |