Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	523581
Start time:	09:55:13
Joe Sandbox Product:	Cloud
Start date:	05.04.2018
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	payment.jar
Cookbook file name:	Java Tracing.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.expl.troj.winJAR@9/4@8/3
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time
Warnings:	Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, conhost.exe, WMIADAP.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: cmd.exe, java.exe, java.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	68	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Exploit detected, runtime environment starts unknown processes

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

Process created: C:\Windows\System32\reg.exe

Jump to behavior

Networking:

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49190 -> 81.171.7.178:4040

Uses TOR for connection hidding

Show sources

Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: blockholder.duckdns.org

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View

IP Address: 207.250.29.221 207.250.29.221

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View	ASN Name: FNIS-FidelityNationalInformationServicesIncUS FNIS-FidelityNationalInformationServicesIncUS
Source: Joe Sandbox View	ASN Name: LEASEWEB-NLNetherlandsNL LEASEWEB-NLNetherlandsNL

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: vvrhhhnaijyj6s2m.onion.top

Urls found in memory or binary data

Show sources

Source: java.exe	String found in binary or memory: file:///
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/jce.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/resources.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/rt.jar
Source: java.exe	String found in binary or memory: file:///C:/Users/user/AppData/Local/Temp/jartracer.jar
Source: java.exe	String found in binary or memory: file:///C:/Users/user/Desktop/payment.jar
Source: java.exe	String found in binary or memory: http://
Source: java.exe	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe	String found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl
Source: java.exe	String found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl0
Source: java.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-DATACorpSGC.crl
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-DATACorpSGC.crl0
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: java.exe	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe	String found in binary or memory: http://null.sun.com/
Source: java.exe	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: java.exe	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe	String found in binary or memory: http://www.chambersign.org
Source: java.exe	String found in binary or memory: http://www.chambersign.org1
Source: java.exe	String found in binary or memory: http://www.quovadis.bm
Source: java.exe	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: java.exe	String found in binary or memory: http://www.usertrust.com
Source: java.exe	String found in binary or memory: http://www.usertrust.com1
Source: java.exe	String found in binary or memory: http://www.usertrust.com1604
Source: java.exe	String found in binary or memory: http://www.valicert.com/
Source: java.exe	String found in binary or memory: http://www.valicert.com/1
Source: java.exe	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe	String found in binary or memory: https://vvrhhhnaijyj6s2m.onion.top/storage/cryptOutput/0.62515200

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443

Boot Survival:

Creates autostart registry keys to launch java

Show sources

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s "C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe" -jar "C:\Users\user\.6520706727662484494.jar"

Jump to behavior

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s

Jump to behavior

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s			Jump to behavior

Remote Access Functionality:

Java Jar sets JVM global properties found in jRAT

Show sources

Source: Java tracing	Java Jar sets suspicious JVM global properties: javax.script.AbstractScriptEngine.eval(java.lang.String) on java.lang.System.setProperty("q.main-class","qua.enterprise.qontroller.q4slave.q4local.SlaveMain");
Source: Java tracing	Java Jar sets suspicious JVM global properties: javax.script.AbstractScriptEngine.eval(java.lang.String) on java.lang.System.setProperty("q.encryptedPathsPath","/com/indene/impressive/JarvisLungan");

Stealing of Sensitive Information:

Searches for user specific document files

Show sources

Source: C:\Windows\explorer.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Data Obfuscation:

Java code performs script evaluation on high entropy strings

Show sources

Source: Java tracing

Executes: javax.script.AbstractScriptEngine.eval(java.lang.String) on com.tryptogen.redfin.Outcaste.yezCheck=com.indene.DecayPray.getNodiPacs().getDeclaredMethod("defineClass", com.indene.De

Launches a Java Jar file from a suspicious file location

Show sources

Source: Java tracing

Executes: java.lang.ProcessBuilder(java.lang.String[]) on c:\program files\java\jre1.8.0_40\bin\java.exe -jar c:\users\user\.6520706727662484494.jar

System Summary:

Reads the hosts file

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\''

Classification label

Show sources

Source: classification engine

Classification label: mal68.expl.troj.winJAR@9/4@8/3

Creates files inside the user directory

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\83aa4cc77f591dfc2374580bbd95f6ba_041d84af-7e76-450d-8340-55db3c73c359

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

File created: C:\Users\user~1\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Executable is probably coded in java

Show sources

Source: C:\Windows\System32\cmd.exe

Section loaded: C:\Program Files\Java\jre1.8.0_40\bin\java.dll

Jump to behavior

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Reads ini files

Show sources

Source: C:\Windows\explorer.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\cmd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar'
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user\.6520706727662484494.jar
Source: unknown	Process created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\''
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user\.6520706727662484494.jar'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar'	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user\.6520706727662484494.jar	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\''	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Uses Rich Edit Controls

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\system32\MsftEdit.dll

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

File opened: C:\Program Files\Java\jre1.8.0_40\bin\msvcr100.dll

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

Memory protected: page read and write and page guard

Jump to behavior

Malware Analysis System Evasion:

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\explorer.exe

Window / User API: threadDelayed 492

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\explorer.exe TID: 3824	Thread sleep time: -60000s >= -60000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 3852	Thread sleep time: -60000s >= -60000s			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: java.exe	Binary or memory string: %com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Language, Device and Operating System Detection:

Queries time zone information

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation DynamicDaylightTimeDisabled

Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
09:56:43	API Interceptor	2x Sleep call for process: java.exe modified
09:57:15	API Interceptor	1x Sleep call for process: reg.exe modified
09:57:19	API Interceptor	589x Sleep call for process: explorer.exe modified
09:57:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s "C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe" -jar "C:\Users\user\.6520706727662484494.jar"

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.250.29.221	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse
	qrat.jar	eacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39	malicious	Browse
	qrat.jar	eacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39	malicious	Browse
	NEW ORDER .LIST 105.jar	031daa275ae5c3ec2a103e0484d496acb3237173d57c8772197e7547d09c97cd	malicious	Browse
	oSBFkSOqOc.jar	6355f0e371f283679ed13b2c3b921c34706dd1f6fbd8630bae9e6d6622c1426d	malicious	Browse
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse
	CONT_WX_BAS.jar	5fe771916df7152c4d1a9d04d325fd3e69f6daa1e381f89d62565b1080be3563	malicious	Browse
	b53P4Umfx.jar	bf5adc2216c0c3f1a84aa412ee97b82fcecae7f0e1ca8a773991a44161d3d407	malicious	Browse
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse
	Document.jar	e94b1e6c3b02ded7c9fd8ebd9968549504e20ef40a6061c4602d2c89a2dceeb2	malicious	Browse
81.171.7.178	payment.jar	2e4429e1fad34021acb0325df71755bc698560bdfc680ab90ec1b720d4ea507d	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
vvrhhhnaijyj6s2m.onion.top	New Order & Payment TT Copy.jar	cfc3be4fbf57c1350929d0f89cd4a368aad89eb93071b402c56a6c4c8c4f7515	malicious	Browse	46.246.120.179
	0.05185200 1514601062.jar	fd2f198a5cf7ad8bcf4c3a7ca9ae700e13fb52e82dc8afa2cc1ec02344dd5788	malicious	Browse	46.246.120.179
	0.86370800 1515583201.jar	2a79d7c6aadd1144eb83c1fb976e1c25aa9b76ba0e24c5682e1cdc832b0cd2dc	malicious	Browse	46.246.120.179
	https://dl.dropbox.com/s/45vovjy58vmss1d/QuiteImp_Pdf.zip?dl=0		malicious	Browse	46.246.120.179
	Court Case.jar	811ab1fee15fabe24ad39a55ebc87a771a1be78b2282d2cf9d766d185abdd68e	malicious	Browse	80.67.3.122
	COPY OF ORIGINAL SHIPPING .DOCUMENT.jar	a0a17f4d58f298ab33312f3b9c0c4dd3fc6be97faa72ee172da367014e27982e	malicious	Browse	62.0.58.94
	receipt_refund_13032018.jpg.jar	579c5178304a029268fb06d0ec10229a82a273e1b300d64072c76c080116c147	malicious	Browse	62.0.58.94
	payment.jar	2e4429e1fad34021acb0325df71755bc698560bdfc680ab90ec1b720d4ea507d	malicious	Browse	62.0.58.94
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse	207.250.29.221
	qrat.jar	eacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39	malicious	Browse	207.250.29.221
	qrat.jar	eacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39	malicious	Browse	207.250.29.221
	NEW ORDER .LIST 105.jar	031daa275ae5c3ec2a103e0484d496acb3237173d57c8772197e7547d09c97cd	malicious	Browse	207.250.29.221
	Closing Instructions 12-5-2017.jar	631b1f229578ee344fffaef116ca19082055ddc69747e5a3bb0a5c2699b1d54d	malicious	Browse	46.246.120.179
	Pending Invoice 567824742_doc.jar	5bd850d706a4836acde0e6a00726cc2b21595e5d682f76d382411e84347b9cd8	malicious	Browse	46.246.120.179
	0.29074100 1512093541.jar	d8ad8b8c638df861a1ce19a0e9ce218f713b28ac1faba3d71c2a28e62ac8f6c1	malicious	Browse	46.246.120.179
	vvrhhhnaijyj6s2m.onion.top		malicious	Browse	46.246.120.179
	OFFER-20171110376.docx	32df4b31a55a62c9d6e0a4d5e9251f1bf602141be7b465cd30ef8ec1862b5278	malicious	Browse	46.246.120.179

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NLNetherlandsNL	67New Spec. Order.exe	782a3fab9b36bf28b9c4fc1cc35c1117d0befe85532742d881dfc43d49a4b3fc	malicious	Browse	95.211.125.236
	Wollin_Info.doc	229c479ee2ad6ee880ce9fa196c453c0d0b7d8deb9bcfd8b9c5b695d3e786c13	malicious	Browse	37.48.122.26
	31SIMREG INCENTIVE BREAKDOWN.xls.exe	44ec55d01db8cc10489808865bf3e8c727b0f95665c788252129c48730e03c9d	malicious	Browse	185.227.83.36
	4920171219_KYC Form for SIM Registration Partners.pd.exe	ab08adc286b8ad4f9050172fe2c9241e5e5be5d192a33b9b7a0222d157cccf1f	malicious	Browse	185.227.83.36
	51Delivery_Notification_00121801.doc.wsf	faba2b71f4ae95ff92dd05aa0779624427197fafe4633750aae98c3320788e73	malicious	Browse	185.246.13.229
	sj.js	7be1c9b5c8ef6d9b52bc0415c43fd826ac56f7b85104c83e278460f7666ec579	malicious	Browse	185.231.69.166
	35ACTIVATION TARGET FOR JANUARY 2018.xlsx.exe	05be5d370dab29f36bb68b660bad837e4d720b7fb7922f44b102aefef798fbf6	malicious	Browse	185.227.83.36
	SL7561298.jse	7458694590c8e390140576b47dfda12cb7d23b881d78ac1fbfc0d4e317f23c8c	malicious	Browse	37.48.122.26
	emotet2.doc	ef2e6152fe8c07575ff05966bb8ca0f42fd820efb37de8431033312e6223924b	malicious	Browse	185.224.137.49
	66DHL_AWB_Shipping.exeDoc2.exe	3971766f2ca5265556c3fb6c99db04f5647465058b9b48cdcde096dc8afa6a3e	malicious	Browse	212.7.208.153
	OrCnUKH5vX.pdf	c86f2967dd7e38aa76bae295f4ab047770b8114a4a6c065cb8f1b6ae35585f08	malicious	Browse	94.75.250.33
	receipt_package_995383740043153369841.js	9c272806dcd9a862431e0ef0c58d761f6d5ee298133500366b277dddfc83b7ee	malicious	Browse	185.241.54.14
	F4Puxs8irK.pdf	c86f2967dd7e38aa76bae295f4ab047770b8114a4a6c065cb8f1b6ae35585f08	malicious	Browse	94.75.250.33
	payment.jar	2e4429e1fad34021acb0325df71755bc698560bdfc680ab90ec1b720d4ea507d	malicious	Browse	81.171.7.178
	fb-register68.hol.es/incorrect_email.html		malicious	Browse	185.224.137.100
	www.wsop.com		malicious	Browse	136.144.49.28
	Emotet 29.03.doc	5a5f9266e16497ffd86d7f36a18b6551a4d8ca29463d410afd499768b876d8ed	malicious	Browse	81.171.31.235
	https://www.jqcdn.download/jquery-3.3.1.min.js		malicious	Browse	185.234.216.52
	drop.exe	302e1245ef2e0607d653e0d3b3ba8af3de32e419264457513c3cf59627692c24	malicious	Browse	185.228.233.126
	49TWQOWU.exe	b7de5f1a5e823f609786050d424ea338e278d68a058fb2ab29a2e890270943f8	malicious	Browse	95.211.125.236
FNIS-FidelityNationalInformationServicesIncUS	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse	207.250.29.221
	qrat.jar	eacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39	malicious	Browse	207.250.29.221
	qrat.jar	eacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39	malicious	Browse	207.250.29.221
	NEW ORDER .LIST 105.jar	031daa275ae5c3ec2a103e0484d496acb3237173d57c8772197e7547d09c97cd	malicious	Browse	207.250.29.221
	oSBFkSOqOc.jar	6355f0e371f283679ed13b2c3b921c34706dd1f6fbd8630bae9e6d6622c1426d	malicious	Browse	207.250.29.221
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse	207.250.29.221
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse	207.250.29.221
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse	207.250.29.221
	CONT_WX_BAS.jar	5fe771916df7152c4d1a9d04d325fd3e69f6daa1e381f89d62565b1080be3563	malicious	Browse	207.250.29.221
	b53P4Umfx.jar	bf5adc2216c0c3f1a84aa412ee97b82fcecae7f0e1ca8a773991a44161d3d407	malicious	Browse	207.250.29.221
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse	207.250.29.221
	Document.jar	e94b1e6c3b02ded7c9fd8ebd9968549504e20ef40a6061c4602d2c89a2dceeb2	malicious	Browse	207.250.29.221

Dropped Files

No context

Screenshots

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Boot Survival:

Remote Access Functionality:

Stealing of Sensitive Information:

Data Obfuscation:

System Summary:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots