Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 14, 2024, 1:21 p.m.	Aug. 14, 2024, 1:23 p.m.

Size	5.0MB
Type	Zip archive data, at least v1.0 to extract
MD5	`543e736a1f4b4f0cb420b076b478e85b`
SHA256	`7096a90b6c9a8fbe6c56af1dd49e3fe578308fc1bec054bf2572b6ca9b635439`
CRC32	`CBD03A66`
ssdeep	`98304:PSVhsnvDr9d1GFobjRvhi65kNC00lP3RBeCQ6z74QT9ky2e:6VhUrHoFoxvmN2RkMzAe`
Yara	zip_file_format - ZIP file format OS_Processor_Check_Zero - OS Processor Check

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\rt.jar
1940

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (17 events)

Time & API	Arguments	Status	Return
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: Error: A JNI error has occurred, please check your installation and try again console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: Exception console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: in thread "main" console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: java.lang.UnsupportedClassVersionError: io/github/luxotick/Start has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 52.0 console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.lang.ClassLoader.defineClass1(Native Method) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.lang.ClassLoader.defineClass(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.security.SecureClassLoader.defineClass(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader.defineClass(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader.access$100(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader$1.run(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader$1.run(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.security.AccessController.doPrivileged(Native Method) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.net.URLClassLoader.findClass(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.lang.ClassLoader.loadClass(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at java.lang.ClassLoader.loadClass(Unknown Source) console_handle: 0x0000000b	1	1
WriteConsoleA Aug. 14, 2024, 1:21 p.m.	buffer: at sun.launcher.LauncherHelper.checkAndLoadMain(Unknown Source) console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 14, 2024, 1:21 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 14, 2024, 1:21 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2670202 registers.esp: 11859016 registers.edi: 1 registers.eax: 6 registers.ebp: 1950536896 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02708000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 14, 2024, 1:21 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.Script.Java.4!c
Cynet	Malicious (score: 99)
Skyhigh	RDN/Generic PWS.y
ALYac	Java.Trojan.GenericGBA.35954
VIPRE	Java.Trojan.GenericGBA.36137
BitDefender	Java.Trojan.GenericGBA.36137
Arcabit	Java.Trojan.GenericGBA.D8D29 [many]
ESET-NOD32	multiple detections
McAfee	RDN/Generic PWS.y
Avast	Java:Malware-gen [Trj]
MicroWorld-eScan	Java.Trojan.GenericGBA.36137
Emsisoft	Java.Trojan.GenericGBA.36137 (B)
F-Secure	Malware.JAVA/AVI.Agent.tutjs
FireEye	Java.Trojan.GenericGBA.36137
Google	Detected
Avira	JAVA/AVI.Agent.tutjs
MAX	malware (ai score=85)
GData	Java.Trojan.GenericGBA.36137
Varist	ABRisk.XAJZ-0
Ikarus	Trojan.Java.Ratty
AVG	Java:Malware-gen [Trj]
alibabacloud	Trojan[spy]:Java/Agent.AP

rt.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All