Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2023, 6:53 p.m.	Dec. 14, 2023, 6:56 p.m.

Size	5.1KB
Type	Zip archive data, at least v2.0 to extract
MD5	`ca4d1b7b3cf3bf97db02639987bcefd4`
SHA256	`4045425f8d551b9d2274e02d17167cac61b6934a84c81e7dd2e0af67f2e7408d`
CRC32	`BC0F0151`
ssdeep	`96:A+czatSGqiRZokpBrSziVxzI06JSW9ku0Bb2qv63qyqk267no/P0DUVqkeWK+mJR:YatSGqiJrGLSW9kuWb2xqyqk77n6PXqF`
Yara	zip_file_format - ZIP file format

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\spring.jar
1884
- java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -classpath C:\Users\test22\AppData\Local\Temp\~spawn3426946046687536451.tmp.dir metasploit.Payload
  2140
  - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -classpath C:\Users\test22\AppData\Local\Temp\~spawn8799418705448425022.tmp.dir metasploit.Payload
    2260

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
101.42.164.92	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2023, 6:53 p.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Dec. 14, 2023, 6:53 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x22a0202 registers.esp: 33354760 registers.edi: 1 registers.eax: 6 registers.ebp: 1950340288 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Dec. 14, 2023, 6:53 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2410202 registers.esp: 33618264 registers.edi: 1 registers.eax: 6 registers.ebp: 1950340288 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Dec. 14, 2023, 6:53 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2370202 registers.esp: 5634028 registers.edi: 1 registers.eax: 6 registers.ebp: 1950340288 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02308000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02318000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02320000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02328000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02338000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02348000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02358000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02438000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02448000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02458000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02468000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02478000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02488000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02498000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02398000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d8000 process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 14, 2023, 6:53 p.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -classpath C:\Users\test22\AppData\Local\Temp\~spawn3426946046687536451.tmp.dir metasploit.Payload
cmdline	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -classpath C:\Users\test22\AppData\Local\Temp\~spawn8799418705448425022.tmp.dir metasploit.Payload

Communicates with host for which no DNS query was performed (1 event)

host

101.42.164.92

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\~spawn8799418705448425022.tmp

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

101.42.164.92:47901

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Lionic	Trojan.Script.Java.3!c
ClamAV	Java.Trojan.Agent-36975
CAT-QuickHeal	Exp.JAVA.Agent.ATV
Skyhigh	Exploit-FKL!FCBAA6DA23D3
VIPRE	Java.Trojan.GenericGB.4024
BitDefender	Java.Trojan.GenericGB.4024
Arcabit	Java.Trojan.GenericGB.DFB8
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of Java/Exploit.CVE-2012-4681.DA
TrendMicro-HouseCall	Trojan.Java.CVE20124681.D
McAfee	Exploit-FKL!FCBAA6DA23D3
Avast	Java:Agent-AUJ [Expl]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Exploit.Java.Generic
Alibaba	Exploit:JAVA/CVE-2012-4681.bf502c2b
NANO-Antivirus	Exploit.Zip.Heuristic-java.csrvpr
MicroWorld-eScan	Java.Trojan.GenericGB.4024
Emsisoft	Java.Trojan.GenericGB.4024 (B)
F-Secure	Exploit.EXP/JAVA.Loader.Gen
DrWeb	Exploit.Java.1302
Zillya	Exploit.GenericGB.JS.29
TrendMicro	Trojan.Java.CVE20124681.D
FireEye	Java.Trojan.GenericGB.4024
Sophos	ATK/Swrort-QA
Ikarus	Exploit.CVE-2012-4681
Jiangmin	Exploit.Java.uu
Google	Detected
Avira	EXP/JAVA.Loader.Gen
Antiy-AVL	Trojan[Exploit]/Java.CVE-2012-4681
Kingsoft	Win32.Troj.Undef.a
Microsoft	VirTool:Java/Meterpreter.A
ZoneAlarm	HEUR:Exploit.Java.Generic
GData	Java.Trojan.GenericGB.4024
Varist	Java/Agent.BLH
AhnLab-V3	Exploit/JAVA.Generic.XJ5
DeepInstinct	MALICIOUS
Tencent	Java.Exploit.Generic.Umhl
MAX	malware (ai score=86)
Fortinet	Java/CVE_2012_4681.A!exploit
AVG	Java:Agent-AUJ [Expl]

spring.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All