Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:523581
Start time:09:55:13
Joe Sandbox Product:Cloud
Start date:05.04.2018
Overall analysis duration:0h 6m 16s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:payment.jar
Cookbook file name:Java Tracing.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.expl.troj.winJAR@9/4@8/3
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiPrvSE.exe, conhost.exe, WMIADAP.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: cmd.exe, java.exe, java.exe

Detection

StrategyScoreRangeReportingDetection
Threshold680 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\reg.exeJump to behavior

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49190 -> 81.171.7.178:4040
Uses TOR for connection hiddingShow sources
Source: unknownDNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknownDNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknownDNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknownDNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknownDNS query: name: vvrhhhnaijyj6s2m.onion.top
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: blockholder.duckdns.org
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 207.250.29.221 207.250.29.221
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: FNIS-FidelityNationalInformationServicesIncUS FNIS-FidelityNationalInformationServicesIncUS
Source: Joe Sandbox ViewASN Name: LEASEWEB-NLNetherlandsNL LEASEWEB-NLNetherlandsNL
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: vvrhhhnaijyj6s2m.onion.top
Urls found in memory or binary dataShow sources
Source: java.exeString found in binary or memory: file:///
Source: java.exeString found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/jce.jar
Source: java.exeString found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/resources.jar
Source: java.exeString found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/rt.jar
Source: java.exeString found in binary or memory: file:///C:/Users/user/AppData/Local/Temp/jartracer.jar
Source: java.exeString found in binary or memory: file:///C:/Users/user/Desktop/payment.jar
Source: java.exeString found in binary or memory: http://
Source: java.exeString found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exeString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exeString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exeString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exeString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exeString found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl
Source: java.exeString found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl0
Source: java.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exeString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exeString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exeString found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exeString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exeString found in binary or memory: http://crl.usertrust.com/UTN-DATACorpSGC.crl
Source: java.exeString found in binary or memory: http://crl.usertrust.com/UTN-DATACorpSGC.crl0
Source: java.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl
Source: java.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0
Source: java.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
Source: java.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01
Source: java.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl
Source: java.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: java.exeString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exeString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exeString found in binary or memory: http://null.sun.com/
Source: java.exeString found in binary or memory: http://policy.camerfirma.com
Source: java.exeString found in binary or memory: http://policy.camerfirma.com0
Source: java.exeString found in binary or memory: http://repository.swisssign.com/
Source: java.exeString found in binary or memory: http://repository.swisssign.com/0
Source: java.exeString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exeString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: java.exeString found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exeString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exeString found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exeString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exeString found in binary or memory: http://www.chambersign.org
Source: java.exeString found in binary or memory: http://www.chambersign.org1
Source: java.exeString found in binary or memory: http://www.quovadis.bm
Source: java.exeString found in binary or memory: http://www.quovadis.bm0
Source: java.exeString found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exeString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exeString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: java.exeString found in binary or memory: http://www.usertrust.com
Source: java.exeString found in binary or memory: http://www.usertrust.com1
Source: java.exeString found in binary or memory: http://www.usertrust.com1604
Source: java.exeString found in binary or memory: http://www.valicert.com/
Source: java.exeString found in binary or memory: http://www.valicert.com/1
Source: java.exeString found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exeString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exeString found in binary or memory: https://vvrhhhnaijyj6s2m.onion.top/storage/cryptOutput/0.62515200
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443

Boot Survival:

barindex
Creates autostart registry keys to launch javaShow sources
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s "C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe" -jar "C:\Users\user\.6520706727662484494.jar"Jump to behavior
Creates autostart registry keys with suspicious namesShow sources
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_sJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_sJump to behavior
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_sJump to behavior

Remote Access Functionality:

barindex
Java Jar sets JVM global properties found in jRATShow sources
Source: Java tracingJava Jar sets suspicious JVM global properties: javax.script.AbstractScriptEngine.eval(java.lang.String) on java.lang.System.setProperty("q.main-class","qua.enterprise.qontroller.q4slave.q4local.SlaveMain");
Source: Java tracingJava Jar sets suspicious JVM global properties: javax.script.AbstractScriptEngine.eval(java.lang.String) on java.lang.System.setProperty("q.encryptedPathsPath","/com/indene/impressive/JarvisLungan");

Stealing of Sensitive Information:

barindex
Searches for user specific document filesShow sources
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

Data Obfuscation:

barindex
Java code performs script evaluation on high entropy stringsShow sources
Source: Java tracingExecutes: javax.script.AbstractScriptEngine.eval(java.lang.String) on com.tryptogen.redfin.Outcaste.yezCheck=com.indene.DecayPray.getNodiPacs().getDeclaredMethod("defineClass", com.indene.De
Launches a Java Jar file from a suspicious file locationShow sources
Source: Java tracingExecutes: java.lang.ProcessBuilder(java.lang.String[]) on c:\program files\java\jre1.8.0_40\bin\java.exe -jar c:\users\user\.6520706727662484494.jar

System Summary:

barindex
Reads the hosts fileShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\''
Classification labelShow sources
Source: classification engineClassification label: mal68.expl.troj.winJAR@9/4@8/3
Creates files inside the user directoryShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\83aa4cc77f591dfc2374580bbd95f6ba_041d84af-7e76-450d-8340-55db3c73c359Jump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile created: C:\Users\user~1\AppData\Local\Temp\hsperfdata_userJump to behavior
Executable is probably coded in javaShow sources
Source: C:\Windows\System32\cmd.exeSection loaded: C:\Program Files\Java\jre1.8.0_40\bin\java.dllJump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Program Files\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\cmd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar'
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user\.6520706727662484494.jar
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\''
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user\.6520706727662484494.jar'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar' Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user\.6520706727662484494.jarJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\''Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\MsftEdit.dllJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile opened: C:\Program Files\Java\jre1.8.0_40\bin\msvcr100.dllJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeSystem information queried: KernelDebuggerInformationJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeMemory protected: page read and write and page guardJump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 492Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 3824Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3852Thread sleep time: -60000s >= -60000sJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: java.exeBinary or memory string: %com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exeBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exeBinary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exeBinary or memory string: org/omg/CORBA/OMGVMCID.classPK

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Language, Device and Operating System Detection:

barindex
Queries time zone informationShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation DynamicDaylightTimeDisabledJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 523581 Sample: payment.jar Startdate: 05/04/2018 Architecture: WINDOWS Score: 68 39 Uses TOR for connection hidding 2->39 41 Detected TCP or UDP traffic on non-standard ports 2->41 43 Uses dynamic DNS services 2->43 45 Java Jar sets JVM global properties found in jRAT 2->45 8 cmd.exe 1 2->8         started        10 explorer.exe 1 2->10         started        12 explorer.exe 5 4 2->12         started        process3 process4 14 java.exe 20 8->14         started        dnsIp5 32 vvrhhhnaijyj6s2m.onion.top 14->32 35 vvrhhhnaijyj6s2m.onion.top 207.250.29.221, 443, 49188, 49189 FNIS-FidelityNationalInformationServicesIncUS United States 14->35 37 2 other IPs or domains 14->37 28 C:\Users\user\.6520706727662484494.jar, Java 14->28 dropped 18 java.exe 17 14->18         started        file6 47 Uses TOR for connection hidding 32->47 signatures7 process8 dnsIp9 30 blockholder.duckdns.org 81.171.7.178, 4040, 49190, 49191 LEASEWEB-NLNetherlandsNL Netherlands 18->30 26 unknown, ASCII 18->26 dropped 53 Exploit detected, runtime environment starts unknown processes 18->53 23 reg.exe 1 18->23         started        file10 55 Detected TCP or UDP traffic on non-standard ports 30->55 signatures11 process12 signatures13 49 Creates autostart registry keys to launch java 23->49 51 Creates autostart registry keys with suspicious names 23->51

Simulations

Behavior and APIs

TimeTypeDescription
09:56:43API Interceptor2x Sleep call for process: java.exe modified
09:57:15API Interceptor1x Sleep call for process: reg.exe modified
09:57:19API Interceptor589x Sleep call for process: explorer.exe modified
09:57:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s "C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe" -jar "C:\Users\user\.6520706727662484494.jar"

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
207.250.29.2215Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
    qrat.jareacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39maliciousBrowse
      qrat.jareacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39maliciousBrowse
        NEW ORDER .LIST 105.jar031daa275ae5c3ec2a103e0484d496acb3237173d57c8772197e7547d09c97cdmaliciousBrowse
          oSBFkSOqOc.jar6355f0e371f283679ed13b2c3b921c34706dd1f6fbd8630bae9e6d6622c1426dmaliciousBrowse
            5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
              5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                  CONT_WX_BAS.jar5fe771916df7152c4d1a9d04d325fd3e69f6daa1e381f89d62565b1080be3563maliciousBrowse
                    b53P4Umfx.jarbf5adc2216c0c3f1a84aa412ee97b82fcecae7f0e1ca8a773991a44161d3d407maliciousBrowse
                      5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                        Document.jare94b1e6c3b02ded7c9fd8ebd9968549504e20ef40a6061c4602d2c89a2dceeb2maliciousBrowse
                          81.171.7.178payment.jar2e4429e1fad34021acb0325df71755bc698560bdfc680ab90ec1b720d4ea507dmaliciousBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            vvrhhhnaijyj6s2m.onion.topNew Order & Payment TT Copy.jarcfc3be4fbf57c1350929d0f89cd4a368aad89eb93071b402c56a6c4c8c4f7515maliciousBrowse
                            • 46.246.120.179
                            0.05185200 1514601062.jarfd2f198a5cf7ad8bcf4c3a7ca9ae700e13fb52e82dc8afa2cc1ec02344dd5788maliciousBrowse
                            • 46.246.120.179
                            0.86370800 1515583201.jar2a79d7c6aadd1144eb83c1fb976e1c25aa9b76ba0e24c5682e1cdc832b0cd2dcmaliciousBrowse
                            • 46.246.120.179
                            https://dl.dropbox.com/s/45vovjy58vmss1d/QuiteImp_Pdf.zip?dl=0maliciousBrowse
                            • 46.246.120.179
                            Court Case.jar811ab1fee15fabe24ad39a55ebc87a771a1be78b2282d2cf9d766d185abdd68emaliciousBrowse
                            • 80.67.3.122
                            COPY OF ORIGINAL SHIPPING .DOCUMENT.jara0a17f4d58f298ab33312f3b9c0c4dd3fc6be97faa72ee172da367014e27982emaliciousBrowse
                            • 62.0.58.94
                            receipt_refund_13032018.jpg.jar579c5178304a029268fb06d0ec10229a82a273e1b300d64072c76c080116c147maliciousBrowse
                            • 62.0.58.94
                            payment.jar2e4429e1fad34021acb0325df71755bc698560bdfc680ab90ec1b720d4ea507dmaliciousBrowse
                            • 62.0.58.94
                            5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                            • 207.250.29.221
                            qrat.jareacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39maliciousBrowse
                            • 207.250.29.221
                            qrat.jareacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39maliciousBrowse
                            • 207.250.29.221
                            NEW ORDER .LIST 105.jar031daa275ae5c3ec2a103e0484d496acb3237173d57c8772197e7547d09c97cdmaliciousBrowse
                            • 207.250.29.221
                            Closing Instructions 12-5-2017.jar631b1f229578ee344fffaef116ca19082055ddc69747e5a3bb0a5c2699b1d54dmaliciousBrowse
                            • 46.246.120.179
                            Pending Invoice 567824742_doc.jar5bd850d706a4836acde0e6a00726cc2b21595e5d682f76d382411e84347b9cd8maliciousBrowse
                            • 46.246.120.179
                            0.29074100 1512093541.jard8ad8b8c638df861a1ce19a0e9ce218f713b28ac1faba3d71c2a28e62ac8f6c1maliciousBrowse
                            • 46.246.120.179
                            vvrhhhnaijyj6s2m.onion.topmaliciousBrowse
                            • 46.246.120.179
                            OFFER-20171110376.docx32df4b31a55a62c9d6e0a4d5e9251f1bf602141be7b465cd30ef8ec1862b5278maliciousBrowse
                            • 46.246.120.179

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            LEASEWEB-NLNetherlandsNL67New Spec. Order.exe782a3fab9b36bf28b9c4fc1cc35c1117d0befe85532742d881dfc43d49a4b3fcmaliciousBrowse
                            • 95.211.125.236
                            Wollin_Info.doc229c479ee2ad6ee880ce9fa196c453c0d0b7d8deb9bcfd8b9c5b695d3e786c13maliciousBrowse
                            • 37.48.122.26
                            31SIMREG INCENTIVE BREAKDOWN.xls.exe44ec55d01db8cc10489808865bf3e8c727b0f95665c788252129c48730e03c9dmaliciousBrowse
                            • 185.227.83.36
                            4920171219_KYC Form for SIM Registration Partners.pd.exeab08adc286b8ad4f9050172fe2c9241e5e5be5d192a33b9b7a0222d157cccf1fmaliciousBrowse
                            • 185.227.83.36
                            51Delivery_Notification_00121801.doc.wsffaba2b71f4ae95ff92dd05aa0779624427197fafe4633750aae98c3320788e73maliciousBrowse
                            • 185.246.13.229
                            sj.js7be1c9b5c8ef6d9b52bc0415c43fd826ac56f7b85104c83e278460f7666ec579maliciousBrowse
                            • 185.231.69.166
                            35ACTIVATION TARGET FOR JANUARY 2018.xlsx.exe05be5d370dab29f36bb68b660bad837e4d720b7fb7922f44b102aefef798fbf6maliciousBrowse
                            • 185.227.83.36
                            SL7561298.jse7458694590c8e390140576b47dfda12cb7d23b881d78ac1fbfc0d4e317f23c8cmaliciousBrowse
                            • 37.48.122.26
                            emotet2.docef2e6152fe8c07575ff05966bb8ca0f42fd820efb37de8431033312e6223924bmaliciousBrowse
                            • 185.224.137.49
                            66DHL_AWB_Shipping.exeDoc2.exe3971766f2ca5265556c3fb6c99db04f5647465058b9b48cdcde096dc8afa6a3emaliciousBrowse
                            • 212.7.208.153
                            OrCnUKH5vX.pdfc86f2967dd7e38aa76bae295f4ab047770b8114a4a6c065cb8f1b6ae35585f08maliciousBrowse
                            • 94.75.250.33
                            receipt_package_995383740043153369841.js9c272806dcd9a862431e0ef0c58d761f6d5ee298133500366b277dddfc83b7eemaliciousBrowse
                            • 185.241.54.14
                            F4Puxs8irK.pdfc86f2967dd7e38aa76bae295f4ab047770b8114a4a6c065cb8f1b6ae35585f08maliciousBrowse
                            • 94.75.250.33
                            payment.jar2e4429e1fad34021acb0325df71755bc698560bdfc680ab90ec1b720d4ea507dmaliciousBrowse
                            • 81.171.7.178
                            fb-register68.hol.es/incorrect_email.htmlmaliciousBrowse
                            • 185.224.137.100
                            www.wsop.commaliciousBrowse
                            • 136.144.49.28
                            Emotet 29.03.doc5a5f9266e16497ffd86d7f36a18b6551a4d8ca29463d410afd499768b876d8edmaliciousBrowse
                            • 81.171.31.235
                            https://www.jqcdn.download/jquery-3.3.1.min.jsmaliciousBrowse
                            • 185.234.216.52
                            drop.exe302e1245ef2e0607d653e0d3b3ba8af3de32e419264457513c3cf59627692c24maliciousBrowse
                            • 185.228.233.126
                            49TWQOWU.exeb7de5f1a5e823f609786050d424ea338e278d68a058fb2ab29a2e890270943f8maliciousBrowse
                            • 95.211.125.236
                            FNIS-FidelityNationalInformationServicesIncUS5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                            • 207.250.29.221
                            qrat.jareacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39maliciousBrowse
                            • 207.250.29.221
                            qrat.jareacaf45986584e6f20618409a55a6c3296329bd043d69637b4fccbf4dca7cf39maliciousBrowse
                            • 207.250.29.221
                            NEW ORDER .LIST 105.jar031daa275ae5c3ec2a103e0484d496acb3237173d57c8772197e7547d09c97cdmaliciousBrowse
                            • 207.250.29.221
                            oSBFkSOqOc.jar6355f0e371f283679ed13b2c3b921c34706dd1f6fbd8630bae9e6d6622c1426dmaliciousBrowse
                            • 207.250.29.221
                            5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                            • 207.250.29.221
                            5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                            • 207.250.29.221
                            5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                            • 207.250.29.221
                            CONT_WX_BAS.jar5fe771916df7152c4d1a9d04d325fd3e69f6daa1e381f89d62565b1080be3563maliciousBrowse
                            • 207.250.29.221
                            b53P4Umfx.jarbf5adc2216c0c3f1a84aa412ee97b82fcecae7f0e1ca8a773991a44161d3d407maliciousBrowse
                            • 207.250.29.221
                            5Hzr1MXNCp.jar877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0maliciousBrowse
                            • 207.250.29.221
                            Document.jare94b1e6c3b02ded7c9fd8ebd9968549504e20ef40a6061c4602d2c89a2dceeb2maliciousBrowse
                            • 207.250.29.221

                            Dropped Files

                            No context

                            Screenshots