analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://nokia-ms.ru:443/wp-content/uploads/2016/02/5708_sexy_cards.jar

Full analysis: https://app.any.run/tasks/d0bf9cc3-a7fd-48be-9b1d-7eee1ef090e4
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: July 11, 2019, 14:22:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
jacksbot
Indicators:
MD5:

15B6A494E69A54C6443663B606025BB6

SHA1:

37DA6F8F7AA75C0BF29D6DFB78FAC6F8A0404D50

SHA256:

FB201AB6616B64F06A8B1186B2E1ECCE3760FF8F08C8DE9E97D0D9E686808DEF

SSDEEP:

3:N1KQmhruRAQlAQyXBaqHlT+8X:CQmhCRDlAZMqHv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JACKSBOT was detected

      • java.exe (PID: 3296)

    • Connects to CnC server

      • java.exe (PID: 3296)

    • Changes the autorun value in the registry

      • java.exe (PID: 3296)

  • SUSPICIOUS

    • Executes JAVA applets

      • javaw.exe (PID: 1656)
      • iexplore.exe (PID: 3220)

    • Creates files in the user directory

      • javaw.exe (PID: 1656)

    • Uses WMIC.EXE to obtain a list of AntiViruses

      • java.exe (PID: 3296)

    • Uses WMIC.EXE to obtain a list of Firewalls

      • java.exe (PID: 3296)

    • Uses WMIC.EXE to obtain a system information

      • java.exe (PID: 3296)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3220)

    • Changes internet zones settings

      • iexplore.exe (PID: 3220)

    • Creates files in the user directory

      • iexplore.exe (PID: 3220)
      • iexplore.exe (PID: 3724)
      • WINWORD.EXE (PID: 1012)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3724)
      • iexplore.exe (PID: 3220)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3724)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3220)

    • Manual execution by user

      • WINWORD.EXE (PID: 1012)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe javaw.exe no specs #JACKSBOT java.exe wmic.exe no specs wmic.exe no specs winword.exe no specs wmic.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3220"C:\Program Files\Internet Explorer\iexplore.exe" http://nokia-ms.ru:443/wp-content/uploads/2016/02/5708_sexy_cards.jarC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3724"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3220 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1656"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\jratbuild7641038732851191423.jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeiexplore.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3296"C:\Program Files\Java\jre1.8.0_92\bin\java" -jar C:\Users\admin\AppData\Roaming\File.jarC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
2896wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:listC:\Windows\System32\Wbem\wmic.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1892wmic /node:localhost /namespace:\\root\SecurityCenter2 path FirewallProduct get /format:listC:\Windows\System32\Wbem\wmic.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1012"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\republictry.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1924wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:listC:\Windows\System32\Wbem\wmic.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
364wmic /node:localhost /namespace:\\root\SecurityCenter2 path FirewallProduct get /format:listC:\Windows\System32\Wbem\wmic.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 559
Read events
1 360
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
16
Unknown types
9

Dropped files

PID
Process
Filename
Type
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3724iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:8722D68C43A537E63F7D334DC6F0DAF3
SHA256:E9CD0C0608E657F67A160997DC1779F60C9EBC212125DE1E72633CA9F1D15395
3220iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF300E0CE852C95EC0.TMP
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:A0C35F79F2081DAC09DFBF7963D455E0
SHA256:39BBDC28C38757988560B62D55DE5683470C4ED15E5129E675F1BD85C4F2E4D5
1656javaw.exeC:\Users\admin\AppData\Roaming\File.jarcompressed
MD5:D2E29608173FEA075CBC72F0A5AED499
SHA256:EB3D51B2551A2E5D3D077F1E4DFAA6FEBBE1C1447C1FF1BC8AD022B3BB070625
3724iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:47B0C71417B74C4A4F6CDADBBB8F8219
SHA256:28C211F0D1AE83F402CCE384567AF4442D3BB9F9D144DD180321D359E72390BA
3220iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2FB21ADBAA4BFC46.TMP
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF769FAD00BC9BC0CE.TMP
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3724
iexplore.exe
GET
200
92.119.113.32:80
http://92.119.113.32/app.app/Contents/MacOS/jratbuild7641038732851191423.jar
unknown
compressed
195 Kb
suspicious
3724
iexplore.exe
GET
400
173.249.36.176:443
http://nokia-ms.ru:443/wp-content/uploads/2016/02/5708_sexy_cards.jar
US
html
650 b
whitelisted
3220
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3220
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3724
iexplore.exe
173.249.36.176:443
nokia-ms.ru
Contabo GmbH
US
unknown
3724
iexplore.exe
92.119.113.32:80
suspicious
3296
java.exe
92.119.113.32:1336
suspicious

DNS requests

Domain
IP
Reputation
nokia-ms.ru
  • 173.249.36.176
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://nokia-ms.ru:443/wp-content/uploads/2016/02/5708_sexy_cards.jar