Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:353368
Start time:09:40:14
Joe Sandbox Product:Cloud
Start date:31.08.2017
Overall analysis duration:0h 15m 1s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:75Doc 0.26777400 15041397050000000jpg.jar
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
  • JavaScript Instrumentation enabled
Detection:MAL
Classification:mal92.evad.expl.troj.winJAR@152/348@0/3
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
Cookbook Comments:
  • Sleeps bigger than 20000ms are automatically reduced to 500ms
  • Found application associated with file extension: .jar
Warnings:
Show All
  • Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: java.exe, java.exe, javaw.exe, java.exe


Detection

StrategyScoreRangeReportingDetection
Threshold920 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox



Signature Overview

Click to jump to signature section



DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 92

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: java.exeString found in binary or memory: file://
Source: javaw.exeString found in binary or memory: file:///
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/charsets.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/access-bridge.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/cldrdata.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/dnsns.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/jaccess.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/jfxrt.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/localedata.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/nashorn.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/sunec.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/sunjce_provider.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/sunmscapi.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/sunpkcs11.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/ext/zipfs.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/jce.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/jfr.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/jsse.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/resources.jar
Source: java.exeString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_40/lib/rt.jar
Source: java.exeString found in binary or memory: file:///c:/users/user/appdata/local/temp/_0.4312212827200392546983382786626386.class
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/charsets.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/access-bridge.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/cldrdata.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/dnsns.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/jaccess.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/jfxrt.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/localedata.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/nashorn.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/sunec.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/sunjce_provider.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/sunmscapi.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/sunpkcs11.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/ext/zipfs.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/jce.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/jfr.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/jsse.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/resources.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/appdata/roaming/oracle/lib/rt.jar
Source: java.exeString found in binary or memory: file:///c:/users/user/desktop/75doc%200.26777400%2015041
Source: java.exeString found in binary or memory: file:///c:/users/user/desktop/75doc%200.26777400%2015041397050000000jpg.jar
Source: javaw.exeString found in binary or memory: file:///c:/users/user/eddlsovkfgw/aknzqikoykh.qmsbqy
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/3
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: java.exeString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error8
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error=
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
Source: java.exeString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsh
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/honour-all-schemalocations
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/honour-all-schemalocationsxs
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/include-comments
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/include-comments0
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: java.exeString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd:
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs7
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs3
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: java.exeString found in binary or memory: http://apache.org/xml/features/standard-uri-conformant2
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/standard-uri-conformantan2
Source: java.exeString found in binary or memory: http://apache.org/xml/features/standard-uri-conformants:2
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: java.exeString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees-r1
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees1
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: java.exeString found in binary or memory: http://apache.org/xml/features/validation/dynamicr
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: java.exeString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
Source: java.exeString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingq
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: java.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvicq
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaulta
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: java.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value-q
Source: java.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueb
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef:
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/features/xinclude1
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/-s
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node9
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/input-buffer-sizecondit
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory:
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner7
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner8
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver7
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context0
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableq
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/validation-manager:q
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/validation-managerf
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factorys
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler9
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/locale
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/localej
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/schema/external-nonamespaceschemalocation
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/schema/external-nonamespaceschemalocation?
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/schema/external-schemalocation
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/properties/schema/external-schemalocation(
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/security-manager
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/security-managerh
Source: java.exe, javaw.exeString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymoustypes
Source: java.exeString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymoustypes/w3c/d
Source: java.exeString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymoustypes;ljava
Source: javaw.exeString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymoustypesg/w3c/
Source: javaw.exeString found in binary or memory: http://bugreport.java.com/bugreport/crash.jsp
Source: javaw.exeString found in binary or memory: http://bugreport.java.com/bugreport/crash.jspresourcemanagement
Source: javaw.exe, java.exeString found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, java.exeString found in binary or memory: http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven
Source: xcopy.exeString found in binary or memory: http://downloa
Source: java.exeString found in binary or memory: http://java.oracle.com/
Source: javaw.exeString found in binary or memory: http://java.sun.com/dtd/properties.dtd
Source: java.exe, javaw.exeString found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: java.exe, javaw.exeString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check1s
Source: java.exeString found in binary or memory: http://java.sun.com/xml/dom/properties/b(
Source: java.exeString found in binary or memory: http://java.sun.com/xml/dom/properties/d(
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/dom/properties/e(
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemalanguage
Source: java.exe, javaw.exeString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemalanguage4
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemasource
Source: java.exe, javaw.exeString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemasource7
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/schema/features/
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: java.exeString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace0
Source: java.exe, javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: java.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: java.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtde
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtdtex
Source: java.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/om/noda
Source: java.exe, javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: java.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state)lorg/w
Source: java.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stater
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-staterg/w3c/
Source: java.exe, javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: java.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/ue
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/y;
Source: javaw.exeString found in binary or memory: http://javax.xml.xmlconstants/feature/secure-processing
Source: java.exe, javaw.exeString found in binary or memory: http://javax.xml.xmlconstants/property/
Source: java.exeString found in binary or memory: http://javax.xml.xmlconstants/property//3
Source: java.exe, javaw.exeString found in binary or memory: http://javax.xml.xmlconstants/property/accessexternaldtd
Source: java.exe, javaw.exeString found in binary or memory: http://javax.xml.xmlconstants/property/accessexternaldtd;
Source: javaw.exeString found in binary or memory: http://javax.xml.xmlconstants/property/accessexternalschema
Source: javaw.exeString found in binary or memory: http://javax.xml.xmlconstants/property/d3
Source: java.exeString found in binary or memory: http://javax.xml.xmlconstants/property/r3
Source: java.exe, javaw.exeString found in binary or memory: http://null.sun.com/
Source: java.exe, javaw.exeString found in binary or memory: http://null.sun.com/0
Source: javaw.exeString found in binary or memory: http://openjdk.java.net/jeps/220).
Source: java.exe, javaw.exeString found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: java.exeString found in binary or memory: http://www.oracle.com/feature/use-service-mechanism/obje
Source: javaw.exeString found in binary or memory: http://www.oracle.com/feature/use-service-mechanismm/nod
Source: java.exeString found in binary or memory: http://www.oracle.com/feature/use-service-mechanismon_al
Source: javaw.exeString found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: javaw.exeString found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
Source: javaw.exeString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
Source: javaw.exeString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
Source: javaw.exeString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
Source: javaw.exeString found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/
Source: javaw.exeString found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/d:
Source: java.exe, javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementattributelimit
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementattributelimit0
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementattributelimitv9
Source: java.exe, javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityexpansionlimit
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityexpansionlimitac
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityexpansionlimitl
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/erces19
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/g/w3c/9
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getentitycountinfo
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/lang/s9
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxelementdepth
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxelementdeptha/lang/c
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxgeneralentitysizelimit
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxgeneralentitysizelimit(z)v
Source: java.exe, javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxoccurlimit
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxoccurlimitde
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxoccurlimite
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxoccurlimitne
Source: java.exe, javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxparameterentitysizelimit
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxparameterentitysizelimit;)z
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxparameterentitysizelimittan
Source: java.exe, javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxxmlnamelimit
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxxmlnamelimitang/str
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxxmlnamelimitass;
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxxmlnamelimitljava/l
Source: java.exe, javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalentitysizelimit
Source: java.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalentitysizelimitg_
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalentitysizelimitja
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlsecuritypropertymanager
Source: java.exe, javaw.exeString found in binary or memory: http://xml.org/sax/features/
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features//lan
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-enddtd
Source: java.exeString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-enddtd4q
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/external-general-entities7
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/namespaces
Source: java.exeString found in binary or memory: http://xml.org/sax/features/namespaces&
Source: java.exeString found in binary or memory: http://xml.org/sax/features/om/s
Source: java.exeString found in binary or memory: http://xml.org/sax/features/tene
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exeString found in binary or memory: http://xml.org/sax/properties/
Source: java.exe, javaw.exeString found in binary or memory: http://xml.org/sax/properties/(
Source: javaw.exeString found in binary or memory: http://xml.org/sax/properties/xml-string
Source: java.exe, javaw.exeString found in binary or memory: https://jrat.io
Source: java.exeString found in binary or memory: https://jrat.ios
Source: java.exeString found in binary or memory: https://jrat.ios1
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49201 -> 178.175.138.167:9010
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2020728 ET TROJAN Possible Adwind SSL Cert (assylias.Inc) 178.175.138.167:9010 -> 192.168.1.16:49201

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run GboKDMbfKti
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run GboKDMbfKti
Creates autostart registry keys to launch javaShow sources
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Direct3D\MostRecentApplication Name javaw.exe
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run GboKDMbfKti "C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\user\eDdlsoVKfgW\AknzQIkoyKh.qmSBQy"

Remote Access Functionality:

barindex
ADWIND Rat detectedShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext
Source: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext
Source: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Drops PE filesShow sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dll
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\Windows8952294696781336921.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe
May use bcdedit to modify the Windows boot settingsShow sources
Source: java.exeBinary or memory string: 0?9bcdedit.exe
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Oracle\lib\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Oracle\lib\ext\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Oracle\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile opened: C:\Program Files\Java\jre1.8.0_40\bin\msvcr100.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: msvcr100.i386.pdb source: javaw.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libverify\verify.pdb source: javaw.exe
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: java.exe, javaw.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libawt\awt.pdb source: javaw.exe, java.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libnio\nio.pdb source: javaw.exe, java.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libnet\net.pdb source: javaw.exe, java.exe
Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: java.exe, javaw.exe
Source: Binary string: D:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: javaw.exe
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: java.exe, javaw.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libjava\java.pdbW" source: javaw.exe, java.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libawt\awt.pdb8^ source: javaw.exe, java.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libzip\zip.pdb source: javaw.exe, java.exe
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: java.exe, javaw.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libmanagement\management.pdbi: source: javaw.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: java.exe, javaw.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libjava\java.pdb source: javaw.exe, java.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libsunec\sunec.pdb source: javaw.exe, java.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libmanagement\management.pdb source: javaw.exe
Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\libnet\net.pdbI source: javaw.exe, java.exe
Classification labelShow sources
Source: classification engineClassification label: mal92.evad.expl.troj.winJAR@152/348@0/3
Creates files inside the user directoryShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\83aa4cc77f591dfc2374580bbd95f6ba_041d84af-7e76-450d-8340-55db3c73c359
Creates temporary filesShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\hsperfdata_user
Executable is probably coded in javaShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeSection loaded: C:\Program Files\Java\jre1.8.0_40\bin\client\jvm.dll
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2520289818372255555.vbs
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Reads software policiesShow sources
Source: C:\Windows\System32\cmd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: 75Doc 0.26777400 15041397050000000jpg.jarVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\75Doc 0.26777400 15041397050000000jpg.jar'
Source: unknownProcess created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\75Doc 0.26777400 15041397050000000jpg.jar'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\75Doc 0.26777400 15041397050000000jpg.jar' OnayiZufuhugu.OgiyizEfahiGu.Main >> C:\cmdlinestart.log 2>&1
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe java.exe -jar 'C:\Users\user\Desktop\75Doc 0.26777400 15041397050000000jpg.jar' OnayiZufuhugu.OgiyizEfahiGu.Main
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\LUKETA~1\AppData\Local\Temp\_0.4312212827200392546983382786626386.class
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2520289818372255555.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2520289818372255555.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive194914766236682624.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive194914766236682624.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive3159448250120760692.vbs
Source: unknownProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive3159448250120760692.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive8817309470254096997.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive8817309470254096997.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GboKDMbfKti /t REG_EXPAND_SZ /d '\'C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe\' -jar \'C:\Users\user\eDdlsoVKfgW\AknzQIkoyKh.qmSBQy\'' /f
Source: unknownProcess created: C:\Windows\System32\attrib.exe attrib +h 'C:\Users\user\eDdlsoVKfgW\*.*'
Source: unknownProcess created: C:\Windows\System32\attrib.exe attrib +h 'C:\Users\user\eDdlsoVKfgW'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\user\eDdlsoVKfgW\AknzQIkoyKh.qmSBQy
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe C:\Users\user\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\LUKETA~1\AppData\Local\Temp\_0.94322696032766358809744035144248591.class
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive6799039488535261462.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive6799039488535261462.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive6418174406144645399.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive6418174406144645399.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive3450254285310729085.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive3450254285310729085.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2857528709846908978.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2857528709846908978.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\75Doc 0.26777400 15041397050000000jpg.jar'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe java.exe -jar 'C:\Users\user\Desktop\75Doc 0.26777400 15041397050000000jpg.jar' OnayiZufuhugu.OgiyizEfahiGu.Main
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\LUKETA~1\AppData\Local\Temp\_0.4312212827200392546983382786626386.class
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2520289818372255555.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive194914766236682624.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GboKDMbfKti /t REG_EXPAND_SZ /d '\'C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe\' -jar \'C:\Users\user\eDdlsoVKfgW\AknzQIkoyKh.qmSBQy\'' /f
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\attrib.exe attrib +h 'C:\Users\user\eDdlsoVKfgW\*.*'
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\attrib.exe attrib +h 'C:\Users\user\eDdlsoVKfgW'
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\user\eDdlsoVKfgW\AknzQIkoyKh.qmSBQy
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive3159448250120760692.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive8817309470254096997.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2520289818372255555.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive194914766236682624.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive3159448250120760692.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive8817309470254096997.vbs
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe C:\Users\user\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\LUKETA~1\AppData\Local\Temp\_0.94322696032766358809744035144248591.class
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive6799039488535261462.vbs
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive3450254285310729085.vbs
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2857528709846908978.vbs
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2857528709846908978.vbs
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive6418174406144645399.vbs
Source: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2857528709846908978.vbs
Source: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive6799039488535261462.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive6418174406144645399.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive3450254285310729085.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\LUKETA~1\AppData\Local\Temp\Retrive2857528709846908978.vbs
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
Creates files inside the system directoryShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile created: C:\Windows\System32\test.txt
Reads the hosts fileShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GboKDMbfKti /t REG_EXPAND_SZ /d '\'C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe\' -jar \'C:\Users\user\eDdlsoVKfgW\AknzQIkoyKh.qmSBQy\'' /f

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: javaw.exeBinary or memory string: F{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exeBinary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exeBinary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}R7Df:5
Source: javaw.exeBinary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}R7Df:5
Source: javaw.exeBinary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}^
Source: javaw.exeBinary or memory string: "{"ACTIVE_WINDOW":"Program Manager"
Source: javaw.exeBinary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}]h
Source: javaw.exeBinary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}^
Source: javaw.exeBinary or memory string: {"ACTIVE_WINDOW":"Program Manager","COMMAND":5}can.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":1,"SERVER_PATH":"C:\\Users\\user\\eDdlsoVKfgW\\AknzQIkoyKh.qmSBQy","VBOX":false,"RAM":"511.6 MB"},"psview.exe","quamgr.ex
Source: javaw.exeBinary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":1,"SERVER_PATH":"C:\\Users\\user\\eDdlsoVKfgW\\AknzQIkoyKh.qmSBQy","VBOX":false,"RAM":"511.6 MB"}E":"VIPRE Security 20
Source: java.exe, javaw.exeBinary or memory string: Progman
Source: javaw.exeBinary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}]h
Source: javaw.exeBinary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":1,"SERVER_PATH":"C:\\Users\\user\\eDdlsoVKfgW\\AknzQIkoyKh.qmSBQy","VBOX":false,"RAM":"511.6 MB"}E":"VIPRE Security 20
Source: javaw.exeBinary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: java.exe, javaw.exeBinary or memory string: Program Manager
Source: java.exe, javaw.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeMemory protected: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeSystem information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: java.exeBinary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: java.exeBinary or memory string: VMWARE[@p
Source: javaw.exeBinary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: javaw.exeBinary or memory string: VMWARE
Source: javaw.exeBinary or memory string: Unable to link/verify VirtualMachineError class
Source: javaw.exeBinary or memory string: java/lang/VirtualMachineError
Source: java.exeBinary or memory string: VMWARE#H~
Source: java.exe, javaw.exeBinary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exeBinary or memory string: k{constant pool}code cache C-heap hand metaspace chunks dict zone strs syms heap threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classD:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classD:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool())
Source: java.exeBinary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: java.exe, javaw.exeBinary or memory string: $[Ljava/lang/VirtualMachineError;
Source: java.exeBinary or memory string: VMWARE;
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Oracle\lib\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Oracle\lib\ext\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Oracle\
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeFile opened: C:\Users\user\AppData\
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe TID: 3832Thread sleep time: -100s >= -60s
Source: C:\Windows\System32\cscript.exe TID: 3508Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\cscript.exe TID: 3568Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\cscript.exe TID: 3640Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\cscript.exe TID: 3700Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\cscript.exe TID: 4068Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\cscript.exe TID: 2232Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\cscript.exe TID: 2200Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\cscript.exe TID: 772Thread sleep time: -60000s >= -60s
Tries to detect sandboxes and other dynamic analysis tools (process name)Show sources
Source: java.exe, javaw.exeBinary or memory string: WIRESHARK.EXE
Source: java.exe, javaw.exeBinary or memory string: PROCEXP.EXE
Source: java.exe, javaw.exeBinary or memory string: SUPERANTISPYWARE.EXE
Source: java.exe, javaw.exeBinary or memory string: DUMPCAP.EXE

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: java.exe, javaw.exeBinary or memory string: K7TSMngr.exe
Source: java.exe, javaw.exeBinary or memory string: SCANWSCS.EXE
Source: java.exe, javaw.exeBinary or memory string: FSMA32.EXE
Source: java.exe, javaw.exeBinary or memory string: K7PSSrvc.exe
Source: java.exe, javaw.exeBinary or memory string: SBAMSvc.exe
Source: java.exe, javaw.exeBinary or memory string: procexp.exe
Source: java.exe, javaw.exeBinary or memory string: FPWin.exe
Source: java.exe, javaw.exeBinary or memory string: MSASCui.exe
Source: java.exe, javaw.exeBinary or memory string: QUHLPSVC.EXE
Source: java.exe, javaw.exeBinary or memory string: wireshark.exe
Source: java.exe, javaw.exeBinary or memory string: EMLPROXY.EXE
Source: java.exe, javaw.exeBinary or memory string: BullGuard.exe
Source: java.exe, javaw.exeBinary or memory string: guardxservice.exe
Source: java.exe, javaw.exeBinary or memory string: acs.exe
Source: java.exe, javaw.exeBinary or memory string: K7TSecurity.exe
Source: java.exe, javaw.exeBinary or memory string: FProtTray.exe
Source: java.exe, javaw.exeBinary or memory string: op_mon.exe
Source: java.exe, javaw.exeBinary or memory string: AVKService.exe
Source: java.exe, javaw.exeBinary or memory string: fsgk32.exe
Source: java.exe, javaw.exeBinary or memory string: virusutilities.exe
Source: java.exe, javaw.exeBinary or memory string: FPAVServer.exe
Source: java.exe, javaw.exeBinary or memory string: K7RTScan.exe
Source: java.exe, javaw.exeBinary or memory string: cmdagent.exe
Source: java.exe, javaw.exeBinary or memory string: ONLINENT.EXE
Source: java.exe, javaw.exeBinary or memory string: SUPERAntiSpyware.exe
Source: java.exe, javaw.exeBinary or memory string: MsMpEng.exe
Source: java.exe, javaw.exeBinary or memory string: AVKTray.exe
Source: java.exe, javaw.exeBinary or memory string: ClamTray.exe
Source: java.exe, javaw.exeBinary or memory string: K7EmlPxy.EXE
Source: java.exe, javaw.exeBinary or memory string: ClamWin.exe
Source: java.exe, javaw.exeBinary or memory string: FSM32.EXE
Source: java.exe, javaw.exeBinary or memory string: SBAMTray.exe
Source: java.exe, javaw.exeBinary or memory string: K7FWSrvc.exe
Source: java.exe, javaw.exeBinary or memory string: mbam.exe
Source: java.exe, javaw.exeBinary or memory string: AVKProxy.exe
Source: java.exe, javaw.exeBinary or memory string: FilMsg.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries time zone informationShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation DynamicDaylightTimeDisabled

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 353368 Sample:  75Doc 0.26777400 15... Startdate:  31/08/2017 Architecture:  WINDOWS Score:  92 0 cmd.exe main->0      started     3 cmd.exe 1 main->3      started     3195sig Exploit detected, runtime environment starts unknown processes 13035sig ADWIND Rat detected 3196sig Exploit detected, runtime environment starts unknown processes 52312sig Drops files with a non-matching file extension (content does not match file extension) 64618sig Creates autostart registry keys to launch java 64621sig Creates autostart registry keys to launch java 522d1e346634sig Detected TCP or UDP traffic on non-standard ports 130322sig ADWIND Rat detected d1e346634 178.175.138.167, 9010 ICSTrabia-NetworkSRL Moldova Republic of d1e346634->522d1e346634sig d1e346635 127.0.0.1, unknown unknown d1e15903 eh9sgr55h6h6915rsmok8ur..., 88K d1e15981 f7pq8t8da1omqdcab2d3jai..., DOS d1e16895 7v6jmifl7924rs3o22n3726..., COM d1e346829reduced Dropped files exeeded maximum capacity for this level. 87 dropped files have been hidden. d1e346829 JAWTAccessBridge.dll, PE32 d1e346839 JavaAccessBridge.dll, PE32 d1e346728 Windows8952294696781336..., PE32 1 7za.exe 184 0->1      started     5 java.exe 25 3->5      started     1->d1e15903 dropped 1->d1e15981 dropped 1->d1e16895 dropped 5->3195sig 5->13035sig 6reduced Processes exeeded maximum capacity for this level. 3 processes have been hidden. 5->6reduced      started     6 java.exe 15 5->6      started     7 cmd.exe 5->7      started     9 cmd.exe 5->9      started     12 xcopy.exe 5->12      started     18 reg.exe 5->18      started     21 javaw.exe 5->21      started     6->3196sig 6->d1e346635 11reduced Processes exeeded maximum capacity for this level. 1 process has been hidden. 6->11reduced      started     11 cmd.exe 6->11      started     14 cmd.exe 6->14      started     8 cscript.exe 7->8      started     10 cscript.exe