Blue20Jeans20Launcher.exe
This report is generated from a file or URL submitted to this webservice on April 20th 2018 03:03:45 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Spyware
- Accesses potentially sensitive information from local browsers
- Persistence
-
Modifies System Certificates Settings
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 2 domains and 1 host. View all details
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://swdl.bluejeans.com/desktop/win/launchers/Blue%20Jeans%20Launcher.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/68 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/68 Antivirus vendors marked dropped file "bjnAppCapture32.exe" as malicious (classified as "Adware.OutBrowseCRTD" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
1/66 Antivirus vendors marked spawned process "BlueJeans.exe" (PID: 1480) as malicious (classified as "Adware.OutBrowseCRTD" with 1% detection rate)
1/66 Antivirus vendors marked spawned process "BlueJeans.exe" (PID: 1492) as malicious (classified as "Adware.OutBrowseCRTD" with 1% detection rate)
1/66 Antivirus vendors marked spawned process "BlueJeans.exe" (PID: 1940) as malicious (classified as "Adware.OutBrowseCRTD" with 1% detection rate)
1/66 Antivirus vendors marked spawned process "BlueJeans.exe" (PID: 344) as malicious (classified as "Adware.OutBrowseCRTD" with 1% detection rate)
1/66 Antivirus vendors marked spawned process "BlueJeans.exe" (PID: 1484) as malicious (classified as "Adware.OutBrowseCRTD" with 1% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%LOCALAPPDATA%\Blue Jeans\App\BlueJeans.exe" (Handle: 1692)
"<Input Sample>" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1692)
"<Input Sample>" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1692)
"<Input Sample>" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1692)
"<Input Sample>" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1692)
"BlueJeans.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1076)
"BlueJeans.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1076)
"BlueJeans.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1076)
"BlueJeans.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1076)
"BlueJeans.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1076)
"BlueJeans.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1096)
"BlueJeans.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1096)
"BlueJeans.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1096)
"BlueJeans.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1096)
"BlueJeans.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1096)
"BlueJeans.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1108)
"BlueJeans.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1108)
"BlueJeans.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1108)
"BlueJeans.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1108)
"BlueJeans.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1108)
"BlueJeans.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1028)
"BlueJeans.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1028)
"BlueJeans.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1028)
"BlueJeans.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1028)
"BlueJeans.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\App\BlueJeans.exe" (Handle: 1028)
"BlueJeans.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\reg.exe" (Handle: 1096)
"BlueJeans.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\reg.exe" (Handle: 1096)
"BlueJeans.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\reg.exe" (Handle: 1096)
"BlueJeans.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\reg.exe" (Handle: 1096)
"BlueJeans.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\reg.exe" (Handle: 1096) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
System Security
-
Modifies System Certificates Settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains native function calls
- details
- NtdllDefWindowProc_W@NTDLL.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "BlueJeans.exe" with commandline "--installer-session-file="C:\Blue20Jeans20Launcher.exe"" (Show Process)
Spawned process "BlueJeans.exe" with commandline "--type=gpu-process --channel="1480.0.1569270475\752711695" --no-sandbox --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,18,40 --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor="Oracle Corporation" --gpu-driver-version=5.0.40.0 /prefetch:822062411" (Show Process)
Spawned process "BlueJeans.exe" with commandline "--type=renderer --js-flags=--harmony --no-sandbox --enable-deferred-image-decoding --lang=en-US --extension-process --nodejs --working-directory="%LOCALAPPDATA%\Blue Jeans\desktop\execdir\package.nw" --node-main=node-main.js --device-scale-factor=1 --font-cache-shared-mem-suffix=1480 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=1 --channel="1480.1.397193141\1577844957" /prefetch:673131151" (Show Process)
Spawned process "BlueJeans.exe" with commandline "--type=renderer --js-flags=--harmony --no-sandbox --enable-deferred-image-decoding --lang=en-US --extension-process --nodejs --working-directory="%LOCALAPPDATA%\Blue Jeans\desktop\execdir\package.nw" --node-main=node-main.js --device-scale-factor=1 --font-cache-shared-mem-suffix=1480 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=1 --channel="1480.2.1116346085\793532653" /prefetch:673131151" (Show Process)
Spawned process "BlueJeans.exe" with commandline ""%LOCALAPPDATA%\Blue Jeans\desktop\carmel-detector\main.js"" (Show Process)
Spawned process "reg.exe" with commandline "REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v BlueJeans /t REG_SZ /d "%LOCALAPPDATA%\Blue Jeans\App\BlueJeans.exe init-app-detector" /f" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains native function calls
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 37
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "bjnAppCaptureDll32.dll.1399120588")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
""application/x-virtualbox-hdd": {" (Indicator: "virtualbox")
""application/x-virtualbox-ova": {" (Indicator: "virtualbox")
""application/x-virtualbox-ovf": {" (Indicator: "virtualbox")
""application/x-virtualbox-vbox": {" (Indicator: "vbox")
""application/x-virtualbox-vbox": {" (Indicator: "virtualbox")
""extensions": ["vbox"]" (Indicator: "vbox")
""application/x-virtualbox-vbox-extpack": {" (Indicator: "vbox")
""application/x-virtualbox-vbox-extpack": {" (Indicator: "virtualbox")
""extensions": ["vbox-extpack"]" (Indicator: "vbox")
""application/x-virtualbox-vdi": {" (Indicator: "virtualbox")
""application/x-virtualbox-vhd": {" (Indicator: "virtualbox")
""application/x-virtualbox-vmdk": {" (Indicator: "virtualbox") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"BlueJeans.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceW@KERNEL32.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%PROGRAMFILES%\(x86)\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Searches\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Videos\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Pictures\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Contacts\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Favorites\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Music\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"Blue Jeans Meeting Launcher.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"bjnAppCaptureDll32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"bjnAppCapture64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"bjnAppCapture32.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"bjnAppCaptureDll64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "{"version": "2.250.6.5","build": "bjnplugin_2.250.6.5","platform": "win","job": "SkinnyGenericWin","package": "skinny_plugin_win_beta_beta-2._2.250.6.5.zip","v": 1}"
"0.1.0.1" - source
- File/Memory
- relevance
- 3/10
-
Reads the hosts file
- details
-
"BlueJeans.exe" read 65536 bytes from file "%WINDIR%\System32\drivers\etc\hosts"
"BlueJeans.exe" read 61440 bytes from file "%WINDIR%\System32\drivers\etc\hosts" - source
- API Call
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Pattern Matching
-
Contains ability to download files from the internet
- details
-
InternetReadFile@WININET.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream)
InternetReadFile@WININET.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Ransomware/Banking
-
Contains many references to file extensions (often found in ransomware)
- details
-
Found reference to a lot of file extensions within a single string: .3dm
.3gp
.doc
.ppt
.sqlite3
.xls
.act
.ads
.ai
.ait
.al
.asc
.avi
.bin
.bmp
.cer
.cmd
.config
.contact
.cs
.dat
.ddd
.der
.des
.djv
.djvu
.doc
.dwg
.dxf
.eml
.eps
.esm
.ff
.fla
.fpx
.gif
.groups
.html
.java
.jpg
.js
.key
.kf
.log
.map
.max
.md
.mdc
.mid
.mov
.mp4
.mpeg
.msg
.obj
.otp
.pat
.pcd
.pdf
.pkpass
.pl
.plc
.png
.ppt
.ps
.pst
.py
.rar
.rim
.rm
.sb
.sh
.sid
.sql
.sqlite
.sqlite3
.svg
.swf
.tex
.tif
.tiff
.vb
.vmx
.wad
.wav
.xf
.xls
.xml
.zip - source
- File/Memory
- relevance
- 10/10
-
The input sample dropped very many files
- details
- The input sample dropped 609 files (often an indicator for ransomware)
- source
- Binary File
- relevance
- 5/10
-
Contains many references to file extensions (often found in ransomware)
-
Remote Access Related
-
Contains a remote desktop related string
- details
- ""application/vnd.realvnc.bed": {" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
- "BlueJeans.exe" had access to "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Chromium\BrowserCrashDumpAttempts" (Type: "KeyHandle")
- source
- Touched Handle
- relevance
- 7/10
-
Accesses potentially sensitive information from local browsers
-
System Destruction
-
Marks file for deletion
- details
-
"%LOCALAPPDATA%\Blue Jeans\App\BlueJeans.exe" marked "%LOCALAPPDATA%\Blue Jeans\desktop\carmel-detector\startup" for deletion
"%LOCALAPPDATA%\Blue Jeans\App\BlueJeans.exe" marked "%LOCALAPPDATA%\Blue Jeans\desktop\carmel-detector\startup\com.bluejeans.app.detector.plist" for deletion
"%LOCALAPPDATA%\Blue Jeans\App\BlueJeans.exe" marked "%LOCALAPPDATA%\Blue Jeans\desktop\carmel-detector\startup\start-carmel-detector.sh" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"BlueJeans.exe" opened "%LOCALAPPDATA%\Blue Jeans\desktop\Web Data-wal" with delete access
"BlueJeans.exe" opened "%LOCALAPPDATA%\Blue Jeans\desktop\Local Storage\file__0.localstorage-wal" with delete access
"BlueJeans.exe" opened "%LOCALAPPDATA%\Blue Jeans\desktop\carmel-detector\startup" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"Blue Jeans Meeting Launcher.exe" claimed CRC 189731 while the actual is CRC 272230
"bjnAppCaptureDll32.dll" claimed CRC 198717 while the actual is CRC 189731
"bjnAppCapture64.exe" claimed CRC 453370 while the actual is CRC 198717
"bjnAppCapture32.exe" claimed CRC 359516 while the actual is CRC 453370
"bjnAppCaptureDll64.dll" claimed CRC 238485 while the actual is CRC 359516 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegOpenKeyExW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LockResource
GetCommandLineW
UnhandledExceptionFilter
LoadLibraryExW
GetStartupInfoW
GetProcAddress
WriteFile
CreateThread
GetModuleHandleA
GetTempPathW
GetModuleHandleW
TerminateProcess
GetModuleHandleExW
FindResourceW
CreateFileW
Sleep
VirtualAlloc
ShellExecuteExW
FindWindowW
HttpQueryInfoW
InternetConnectW
InternetCrackUrlW
InternetCloseHandle
HttpSendRequestW
InternetReadFile
InternetOpenW
ShellExecuteW
OpenProcessToken
GetModuleFileNameA
OpenFileMappingW
OpenProcess
GetCommandLineA
CreateFileMappingW
MapViewOfFile
GetModuleHandleExA
GetWindowThreadProcessId
FindWindowExA
SetWindowsHookExW
FindWindowA
RegCloseKey
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
GetTickCount
Process32NextW
Process32FirstW
CreateProcessW
FindWindowExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "7d07857781ed8377ae868277c6e08177effd84772d16837760148577478d8277a8e281776089827700000000ad3733778b2d3377b641337700000000" to virtual address "0x73851000" (part of module "WSHTCPIP.DLL")
"<Input Sample>" wrote bytes "7111ba007a3bb900ab8b02007f950200fc8c0200729602006cc805001ecdb6007d26b600" to virtual address "0x76CD07E4" (part of module "USER32.DLL")
"<Input Sample>" wrote bytes "c0df81771cf98077ccf880770d64827700000000c011dd7600000000fc3edd7600000000e013dd760000000094579b7525e08177c6e0817700000000bc6a9a7500000000cf31dd760000000093199b75000000002c32dd7600000000" to virtual address "0x754A1000" (part of module "NSI.DLL")
"<Input Sample>" wrote bytes "0efc847781ed8377ae868277c6e08177effd84772d168377c0fc8077da8f8b7760148577478d8277a8e281776089827700000000ad3733778b2d3377b641337700000000" to virtual address "0x73D41000" (part of module "WSHIP6.DLL")
"BlueJeans.exe" wrote bytes "7111ba007a3bb900ab8b02007f950200fc8c0200729602006cc805001ecdb6007d26b600" to virtual address "0x76CD07E4" (part of module "USER32.DLL")
"BlueJeans.exe" wrote bytes "c0df81771cf98077ccf880770d64827700000000c011dd7600000000fc3edd7600000000e013dd760000000094579b7525e08177c6e0817700000000bc6a9a7500000000cf31dd760000000093199b75000000002c32dd7600000000" to virtual address "0x754A1000" (part of module "NSI.DLL")
"BlueJeans.exe" wrote bytes "7d07857781ed8377ae868277c6e08177effd84772d16837760148577478d8277a8e281776089827700000000ad3733778b2d3377b641337700000000" to virtual address "0x73851000" (part of module "WSHTCPIP.DLL")
"BlueJeans.exe" wrote bytes "0efc847781ed8377ae868277c6e08177effd84772d168377c0fc8077da8f8b7760148577478d8277a8e281776089827700000000ad3733778b2d3377b641337700000000" to virtual address "0x73D41000" (part of module "WSHIP6.DLL")
"reg.exe" wrote bytes "7111ba007a3bb900ab8b02007f950200fc8c0200729602006cc805001ecdb6007d26b600" to virtual address "0x76CD07E4" (part of module "USER32.DLL")
"reg.exe" wrote bytes "c0df81771cf98077ccf880770d64827700000000c011dd7600000000fc3edd7600000000e013dd760000000094579b7525e08177c6e0817700000000bc6a9a7500000000cf31dd760000000093199b75000000002c32dd7600000000" to virtual address "0x754A1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"BlueJeans.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 15 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 29
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.DLL from Blue20Jeans20Launcher.exe (PID: 3096) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"BlueJeans.exe" queries volume information of "%LOCALAPPDATA%\Blue Jeans\desktop\execdir\package.nw\node-main.js" at 00017631-00001940-00000046-78408191
"BlueJeans.exe" queries volume information of "C:\" at 00017631-00001940-00000046-78408593
"BlueJeans.exe" queries volume information of "C:\Users" at 00017631-00001940-00000046-78408966
"BlueJeans.exe" queries volume information of "C:\Users\%OSUSER%" at 00017631-00001940-00000046-78409208
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData" at 00017631-00001940-00000046-78409403
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local" at 00017631-00001940-00000046-78409595
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans" at 00017631-00001940-00000046-78409792
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop" at 00017631-00001940-00000046-78409999
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir" at 00017631-00001940-00000046-78410208
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw" at 00017631-00001940-00000046-78410420
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw\node-main.js" at 00017631-00001940-00000046-78410635
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw\node-main.js" at 00017631-00001940-00000046-78411412
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw\bundle.js" at 00017631-00001940-00000046-78726706
"BlueJeans.exe" queries volume information of "C:\" at 00017631-00001940-00000046-78726940
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw\bundle.js" at 00017631-00001940-00000046-78727115
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw\bundle.js" at 00017631-00001940-00000046-78727581
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw\bundle.js" at 00017631-00001940-00000046-78727852
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw\package.json" at 00017631-00001940-00000046-78775588
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop\execdir\package.nw\package.json" at 00017631-00001940-00000046-78776208
"BlueJeans.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Blue Jeans\desktop" at 00017631-00001940-00000046-78814615 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
-
"BlueJeans.exe" queries volume information of "C:\" at 00017631-00001940-00000046-78408593
"BlueJeans.exe" queries volume information of "C:\" at 00017631-00001940-00000046-78726940
"BlueJeans.exe" queries volume information of "C:\" at 00017826-00000344-00000046-78638089
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83791614
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83809008
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83810427
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83813315
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83816216
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83818431
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83821862
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83823147
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83825843
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83830013
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83831244
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83849558
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83852183
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83856708
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83859574
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83862693
"BlueJeans.exe" queries volume information of "C:\" at 00019284-00001484-00000046-83865258 - source
- API Call
- relevance
- 8/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\BLUEJEANS.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\BLUEJEANS.EXE")
"BlueJeans.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ACRORD32.EXE")
"BlueJeans.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ACRORD32.EXE")
"BlueJeans.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ACRORD32.EXE"; Key: "PATH"; Value: "00000000010000006E00000043003A005C00500072006F006700720061006D002000460069006C00650073002000280078003800360029005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C000000")
"BlueJeans.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\QUICKTIMEPLAYER.EXE")
"BlueJeans.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\QUICKTIMEPLAYER.EXE")
"BlueJeans.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WMPLAYER.EXE")
"BlueJeans.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WMPLAYER.EXE")
"BlueJeans.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WMPLAYER.EXE"; Key: "PATH"; Value: "0000000002000000520000002500500072006F006700720061006D00460069006C00650073002800780038003600290025005C00570069006E0064006F007700730020004D006500640069006100200050006C0061007900650072000000") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Accesses Software Policy Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
-
"swdl.bluejeans.com"
"api.mixpanel.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "23.35.119.76:443"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"c:\jenkins\workspace\Carmel-Installer-Windows\BlueJeansInstaller\Release\Blue Jeans Launcher.pdb"
"c:\jenkins\workspace\SkinnyGenericWin@3\skinny\bjnp\Release\bjnp.pdb"
"c:\jenkins\workspace\SkinnyGenericWin@3\skinny\bjnAppCapture\Release\bjnAppCaptureDll32.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\temp.msi"
"BlueJeans.exe" created file "%TEMP%\etilqs_dmkTLBtcU7flzRy" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Global\_MSIExecute"
"DBWinMutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ChromeProcessSingletonStartup!"
"Local\ChromeProcessSingletonStartup!"
"\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "icon_success_96x96.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "bjn-ui-loading-spinner-white-24.svg" as clean (type is "ASCII text with no line terminators")
Antivirus vendors marked dropped file "bjn-ui-loading-spinner-blue-48.svg" as clean (type is "ASCII text")
Antivirus vendors marked dropped file "BJN_logo_white_184x44.svg" as clean (type is "SVG Scalable Vector Graphics image")
Antivirus vendors marked dropped file "outlookintegrator.vbs" as clean (type is "ASCII text with CRLF LF line terminators")
Antivirus vendors marked dropped file "BlueJeansDolby_logo.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "error_icon_56.svg" as clean (type is "SVG Scalable Vector Graphics image")
Antivirus vendors marked dropped file "carmel.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "bjn-ui-loading-spinner-white-18.svg" as clean (type is "ASCII text with no line terminators")
Antivirus vendors marked dropped file "icon_failure_96x96.svg" as clean (type is "SVG Scalable Vector Graphics image")
Antivirus vendors marked dropped file "icon_failure_96x96.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "bjn-ui-eye-closed-grey-16.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "tips_icon.svg" as clean (type is "SVG Scalable Vector Graphics image")
Antivirus vendors marked dropped file "bjn-ui-loading-spinner-orange-16.svg" as clean (type is "ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "jf3_white_logo_184x44.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "bjn-ui-eye-open-orange-16.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "BJN_logo_76x18_svg.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "skinny.svg" as clean (type is "HTML document ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "bjn-ui-loading-spinner-grey-24.svg" as clean (type is "ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "bjn-ui-loading-spinner-white-48.svg" as clean (type is "ASCII text with very long lines with no line terminators") - source
- Binary File
- relevance
- 10/10
-
Process launched with changed environment
- details
-
Process "BlueJeans.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="ElevateCreateProcess""
Process "BlueJeans.exe" (Show Process) was launched with new environment variables: "CHROME_BREAKPAD_PIPE_NAME="\\.\pipe\GoogleCrashServices\S-1-5-21-686412048-2446563785-1323799475-1001""
Process "reg.exe" (Show Process) was launched with modified environment variables: "NUMBER_OF_PROCESSORS" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
-
"<Input Sample>" searching for class "Chrome_WidgetWin_0"
"<Input Sample>" searching for class "Chrome_WidgetWin_1"
"<Input Sample>" searching for class "Chrome_WidgetWin_2"
"<Input Sample>" searching for class "Chrome_WidgetWin_3"
"BlueJeans.exe" searching for class "Chrome_MessageWindow" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "BlueJeans.exe" with commandline "--installer-session-file="C:\Blue20Jeans20Launcher.exe"" (Show Process)
Spawned process "BlueJeans.exe" with commandline "--type=gpu-process --channel="1480.0.1569270475\752711695" --no-sandbox --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,18,40 --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor="Oracle Corporation" --gpu-driver-version=5.0.40.0 /prefetch:822062411" (Show Process)
Spawned process "BlueJeans.exe" with commandline "--type=renderer --js-flags=--harmony --no-sandbox --enable-deferred-image-decoding --lang=en-US --extension-process --nodejs --working-directory="%LOCALAPPDATA%\Blue Jeans\desktop\execdir\package.nw" --node-main=node-main.js --device-scale-factor=1 --font-cache-shared-mem-suffix=1480 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=1 --channel="1480.1.397193141\1577844957" /prefetch:673131151" (Show Process)
Spawned process "BlueJeans.exe" with commandline "--type=renderer --js-flags=--harmony --no-sandbox --enable-deferred-image-decoding --lang=en-US --extension-process --nodejs --working-directory="%LOCALAPPDATA%\Blue Jeans\desktop\execdir\package.nw" --node-main=node-main.js --device-scale-factor=1 --font-cache-shared-mem-suffix=1480 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=1 --channel="1480.2.1116346085\793532653" /prefetch:673131151" (Show Process)
Spawned process "BlueJeans.exe" with commandline ""%LOCALAPPDATA%\Blue Jeans\desktop\carmel-detector\main.js"" (Show Process)
Spawned process "reg.exe" with commandline "REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v BlueJeans /t REG_SZ /d "%LOCALAPPDATA%\Blue Jeans\App\BlueJeans.exe init-app-detector" /f" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US" (SHA1: A5:32:97:1B:97:F7:AA:99:92:25:7D:9B:AA:63:8B:24:FC:B4:12:0B; see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign
Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 00:77:90:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Dropped files
- details
-
"icon_success_96x96.svg" has type "HTML document ASCII text with very long lines with no line terminators"
"Blue Jeans Meeting Launcher.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"bjn-ui-loading-spinner-white-48.svg" has type "ASCII text"
"ZeroClipboard-skinnydom.swf" has type "Macromedia Flash data (compressed) version 9"
"bjn-ui-loading-spinner-white-24.svg" has type "ASCII text with no line terminators"
"jwplayer.flash.swf" has type "Macromedia Flash data (compressed) version 14"
"bjn-ui-loading-spinner-blue-48.svg" has type "ASCII text"
"temp.msi" has type "Composite Document File V2 Document Can't read SAT"
"BJN_logo_white_184x44.svg" has type "SVG Scalable Vector Graphics image"
"bjnAppCaptureDll32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"outlookintegrator.vbs" has type "ASCII text with CRLF LF line terminators"
"BlueJeansDolby_logo.svg" has type "HTML document ASCII text with very long lines with no line terminators"
"error_icon_56.svg" has type "SVG Scalable Vector Graphics image"
"carmel.svg" has type "HTML document ASCII text with very long lines with no line terminators"
"bjn-ui-loading-spinner-white-18.svg" has type "ASCII text with no line terminators"
"icon_failure_96x96.svg" has type "SVG Scalable Vector Graphics image"
"icon_failure_96x96.svg" has type "HTML document ASCII text with very long lines with no line terminators"
"AkamaiAdvancedJWStreamProvider-edge.swf" has type "Macromedia Flash data (compressed) version 10"
"bjn-ui-eye-closed-grey-16.svg" has type "HTML document ASCII text with very long lines with no line terminators"
"tips_icon.svg" has type "SVG Scalable Vector Graphics image" - source
- Binary File
- relevance
- 3/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"reg.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
"reg.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "BLUEJEANS"; Value: "%LOCALAPPDATA%\Blue Jeans\App\BlueJeans.exe init-app-detector") - source
- Registry Access
- relevance
- 8/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "C:\Windows\AppPatch\AcLayers.dll"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
"<Input Sample>" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"<Input Sample>" touched file "C:\Windows\SysWOW64\wshqos.dll"
"<Input Sample>" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"<Input Sample>" touched file "C:\Windows\SysWOW64\msxml3r.dll"
"<Input Sample>" touched file "C:\Windows\SysWOW64\msimsg.dll" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://sv.symcb.com/sv.crl0f"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Pattern match: "https://swdl.bluejeans.com/desktop/win/phase/1/live.xml"
Heuristic match: "swdl.bluejeans.com"
Heuristic match: "*.bluejeans.com"
Pattern match: "https://d.symcb.com/rpa0+"
Pattern match: "http://ss.symcb.com/ss.crl0"
Pattern match: "http://ss.symcd.com0&"
Pattern match: "http://ss.symcb.com/ss.crt0"
Pattern match: "http://s2.symcb.com0k"
Pattern match: "http://www.symauth.com/rpa0"
Pattern match: "http://crl.verisign.com/pca3.crl0"
Pattern match: "https://www.verisign.com/cps0"
Pattern match: "logo.verisign.com/vslogo.gif04"
Pattern match: "http://ocsp.verisign.com0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.verisign.com"
Pattern match: "https://d.symcb.com/rpa0#"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE%2FuXQ4cLc0QEGNMJMGmf8%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: s2.symcb.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEH6Ev1qcmo%2Fv9vB2Wp%2Bg8Ao%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ss.symcd.com"
Pattern match: "http://www.symauth.com/cps0*"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: s2.symcb.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCED514B7me5W0HbksSPMePVE%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sv.symcd.com"
Heuristic match: "api.mixpanel.com"
Pattern match: "http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK"
Pattern match: "http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE%2FuXQ4cLc0QEGN"
Pattern match: "http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEH6Ev1qcmo%2Fv9vB2"
Pattern match: "http://www.w3.org/2000/svg"
Pattern match: "http://requirejs.org"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Heuristic match: "Copyright (c) 2014 Jonathan Ong me@jongleberry.com"
Pattern match: "http://www.w3.org/1999/xlink"
Pattern match: "http://Motobit.cz"
Pattern match: "https://swdl.bluejeans.com/desktop-app/pages/sso.html" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- ""application/vnd.youtube.yt": {" (Indicator: "youtube")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
-
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"BlueJeans.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") - source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"BlueJeans.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"Blue20Jeans20Launcher.exe.bin" was detected as "VC8 -> Microsoft Corporation"
"Blue Jeans Meeting Launcher.exe" was detected as "VC8 -> Microsoft Corporation"
"bjnAppCaptureDll32.dll" was detected as "Borland Delphi 3.0 (???)"
"bjnAppCapture32.exe" was detected as "VC8 -> Microsoft Corporation" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
Blue20Jeans20Launcher.exe
- Filename
- Blue20Jeans20Launcher.exe
- Size
- 225KiB (230848 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- f919a156641f7a283701863d9d07bf73ed9ce1709e6f90fdb254b0af46e28615
- MD5
- e634f4093783af9b10f13000b5c02482
- SHA1
- a721aef48178a63ec99597e354411e447017ec31
- ssdeep
- 3072:14wgh7eba9RTpLpBEACnIn++/ou0HONWwd1Cld27L9N:6wgaa/1z0g+D/8153T
- imphash
- 257b5376ba5ca416ddc1825ba11ef6fa
- authentihash
- 768c77afc08e9d487e204d3ef2a9d35d7528e238965d3289348fe3d16e587c1a
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 08/14/2017 04:10:44 (UTC)
- PDB Pathway
- c:\jenkins\workspace\Carmel-Installer-Windows\BlueJeansInstaller\Release\Blue Jeans Launcher.pdb
- PDB GUID
- E8A769C213E144C9AB5413BDE31C5F1E
Classification (TrID)
- 67.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 14.2% (.DLL) Win32 Dynamic Link Library (generic)
- 9.7% (.EXE) Win32 Executable (generic)
- 4.3% (.EXE) Generic Win/DOS Executable
- 4.3% (.EXE) DOS Executable Generic
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 12.00 (Visual Studio UNRELEASED) (build: 31101)
- 1 Unknown Resource Files (build: 0)
- 1 .RES Files linked with CVTRES.EXE 12.00 (Visual Studio UNRELEASED)! (build: 21005)
- 3 .CPP Files (with LTCG) compiled with CL.EXE 18.00 (Visual Studio UNRELEASED) (build: 31101)
- 21 .LIB Files generated with LIB.EXE 11.00 (Visual Studio 2012) (build: 65501)
- 49 .CPP Files compiled with CL.EXE 18.00 (Visual Studio UNRELEASED) (build: 21005)
- 122 .C Files compiled with CL.EXE 18.00 (Visual Studio UNRELEASED) (build: 21005)
- 22 .ASM Files assembled with MASM 12.00 (Visual Studio UNRELEASED) (build: 21005)
- 2 .CPP Files compiled with CL.EXE 18.00 (Visual Studio UNRELEASED) (build: 20806)
- File contains C++ code
- File appears to contain raw COFF/OMF content
- File was optimized using LTCG and/or POGO
- File is the product of a small codebase (3 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (5.9KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 01:00:00 12/31/2020 00:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 01:00:00 12/30/2020 00:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=Blue Jeans Network, O=Blue Jeans Network, L=Mountain View, ST=California, C=US | CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US Serial: 3e75e01ee67b95b41db92c48f31e3d51 |
12/30/2015 01:00:00 03/31/2019 00:59:59 |
77:7D:6E:64:1B:5D:61:74:1F:37:EC:6E:C7:7B:B2:FC A5:32:97:1B:97:F7:AA:99:92:25:7D:9B:AA:63:8B:24:FC:B4:12:0B |
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US | CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 3d78d7f9764960b2617df4f01eca862a |
12/10/2013 01:00:00 12/10/2023 00:59:59 |
19:74:60:A7:09:D4:F4:C8:FA:C4:B9:E3:32:20:54:34 00:77:90:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 7 processes in total (System Resource Monitor).
-
Blue20Jeans20Launcher.exe
(PID: 3096)
1/68
-
BlueJeans.exe
--installer-session-file="C:\Blue20Jeans20Launcher.exe"
(PID: 1480)
1/66
- BlueJeans.exe --type=gpu-process --channel="1480.0.1569270475\752711695" --no-sandbox --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,18,40 --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor="Oracle Corporation" --gpu-driver-version=5.0.40.0 /prefetch:822062411 (PID: 1492) 1/66
-
BlueJeans.exe
--type=renderer --js-flags=--harmony --no-sandbox --enable-deferred-image-decoding --lang=en-US --extension-process --nodejs --working-directory="%LOCALAPPDATA%\Blue Jeans\desktop\execdir\package.nw" --node-main=node-main.js --device-scale-factor=1 --font-cache-shared-mem-suffix=1480 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=1 --channel="1480.1.397193141\1577844957" /prefetch:673131151
(PID: 1940)
1/66
- BlueJeans.exe "%LOCALAPPDATA%\Blue Jeans\desktop\carmel-detector\main.js" (PID: 1484) 1/66
- reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v BlueJeans /t REG_SZ /d "%LOCALAPPDATA%\Blue Jeans\App\BlueJeans.exe init-app-detector" /f (PID: 2700)
- BlueJeans.exe --type=renderer --js-flags=--harmony --no-sandbox --enable-deferred-image-decoding --lang=en-US --extension-process --nodejs --working-directory="%LOCALAPPDATA%\Blue Jeans\desktop\execdir\package.nw" --node-main=node-main.js --device-scale-factor=1 --font-cache-shared-mem-suffix=1480 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=1 --channel="1480.2.1116346085\793532653" /prefetch:673131151 (PID: 344) 1/66
-
BlueJeans.exe
--installer-session-file="C:\Blue20Jeans20Launcher.exe"
(PID: 1480)
1/66
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
swdl.bluejeans.com
OSINT |
23.35.119.76
TTL: 3476 |
CSC CORPORATE DOMAINS, INC. | United States |
api.mixpanel.com
OSINT |
159.122.19.207
TTL: 593 |
ENOM, INC.
Organization: WHOISGUARD, INC. Name Server: NS1.P16.DYNECT.NET Creation Date: Tue, 13 Mar 2007 00:00:00 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
23.35.119.76 |
443
TCP |
blue20jeans20launcher.exe PID: 3096 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 32 extracted file(s). The remaining 577 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
bjnAppCapture32.exe
- Size
- 324KiB (331704 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Adware.OutBrowseCRTD" (1/68)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 568c25a82d6254614cfa130e7bf86561
- SHA1
- 8028ab92bd90b506bc1aec381a8ddd712fce1c8d
- SHA256
- 6bc80e78f1d0577068dcfbf5870fbabdc7d7fa5859a2ee1b19135b3cccfe0112
-
-
Clean 1
-
-
outlookintegrator.vbs
- Size
- 15KiB (15379 bytes)
- Type
- text
- Description
- ASCII text, with CRLF, LF line terminators
- AV Scan Result
- 0/60
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- f25331992cc870be13a47f2a19559e43
- SHA1
- bcf1b2e9b3d89777f393e2e9763e19ba186c9c9d
- SHA256
- e821647fb0f11a3d00c681656a6d61b12d44a167edef96c99cf3bba5fc42dff0
-
-
Informative Selection 3
-
-
main.js
- Size
- 3.5KiB (3576 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines
- Runtime Process
- BlueJeans.exe (PID: 1484)
- MD5
- 438aafaf4bc12ce857d7c815d036b2cc
- SHA1
- eb77b628fc60ca5d8e561bc39e157825a0217e44
- SHA256
- 0749660efc76eb5fbf8fd9366dac764f6ed3884451f024fe02fb58e74c3242c3
-
db.json
- Size
- 150KiB (153514 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- BlueJeans.exe (PID: 1484)
- MD5
- b244b861311853c53f6daa87c2143d9a
- SHA1
- 3ca6d8ba50132fa9c3eed313dba9c83c97bd3b55
- SHA256
- 437bc08d94f0484385f95e77c4d8b37ede4899e94264cbec9d0ace2d50e0ee5a
-
node-main.js
- Size
- 405B (405 bytes)
- Type
- script javascript
- Description
- ASCII text
- Runtime Process
- BlueJeans.exe (PID: 344)
- MD5
- ebdb18ef2181b652808c3f1272737239
- SHA1
- 071622455be0f45087e2c6bae499ba4e1927ce34
- SHA256
- ef765aaa1846b2201edfcdc5f7eb377fa7a1fc01d42e4655b1640ac65466aebd
-
-
Informative 27
-
-
bluejeans.flashtrust.cfg
- Size
- 237B (237 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- 9bd0552f9ff98cc04048d38588504729
- SHA1
- db4a6b336de4caabd781c6212eac481603e269fc
- SHA256
- 6c2da0951e64981cfded1d3f2a90b5f64277996d143fb9b33f40031635bfaae9
-
.bluejeans
- Size
- 26B (26 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1484)
- MD5
- b9de2f7941efceec3c11d0a8bd4360f8
- SHA1
- 6c06ae0c222f494b38c04bf1844d1316cdfa145f
- SHA256
- 45d736f3cccdf5ac42d98cf541ce575b3558d350534b6b3584a2cf35cfcf0c86
-
package.nw.json
- Size
- 70B (70 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- 4e8b5ba1435c91369abe2fc04d433ea5
- SHA1
- 16bf1945c9c76ca423cc4ad175d81d4498a20f05
- SHA256
- db0760d0a58261f18cf0a489cae87a657ed2106963eac2c8131961be4525937f
-
data_0
- Size
- 8KiB (8192 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- cf89d16bb9107c631daabf0c0ee58efb
- SHA1
- 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
- SHA256
- d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
-
data_1
- Size
- 8KiB (8192 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- 259e7ed5fb3c6c90533b963da5b2fc1b
- SHA1
- df90eabda434ca50828abb039b4f80b7f051ec77
- SHA256
- 35bb2f189c643dcf52ecf037603d104035ecdc490bf059b7736e58ef7d821a09
-
data_2
- Size
- 8KiB (8192 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- 0962291d6d367570bee5454721c17e11
- SHA1
- 59d10a893ef321a706a9255176761366115bedcb
- SHA256
- ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
-
data_3
- Size
- 8KiB (8192 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- 41876349cb12d6db992f1309f22df3f0
- SHA1
- 5cf26b3420fc0302cd0a71e8d029739b8765be27
- SHA256
- e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
-
file__0.localstorage
- Size
- 3KiB (3072 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- 9f614004d80f3ce0899456ecb851c8b5
- SHA1
- 37ae701234076239a4cfbcde4a637e1c03842e2e
- SHA256
- 47642b604b4a3d4b7e031287733ef1eb7e22aa08fc3549d9626151c922aaf919
-
file__0.localstorage-journal
- Size
- 3.5KiB (3608 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- 6f56447040447543845cf1d664bd37c2
- SHA1
- 9a7c1a997dede66bfb041f5a6590894cd3908742
- SHA256
- 692c59c1c887eefdc0d66f2f3fcaf220b8e295728a41b403a4b128e8ce62ab96
-
Web Data
- Size
- 40KiB (40960 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- 2b455f9577d1e7c09f6d417b3005cf94
- SHA1
- 60f932c3de47149abe57793d9db946c507098094
- SHA256
- d8f9ac1c53666153a5387b342fb6abe5b294a8dc92ea07cab69ada9abbe2b9e7
-
Web Data-journal
- Size
- 512B (512 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1480)
- MD5
- bf619eac0cdf3f68d496ea9344137e8b
- SHA1
- 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
- SHA256
- 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
-
carmel_detector.json
- Size
- 80B (80 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- f7709727f1eb008318b1b7f60bcbddf8
- SHA1
- 962e265f6724052393b752d80619c15a8055ddb2
- SHA256
- a1a93037950f2df2062f5d5197bdbafbd58be9a691f04a5e14769776ef08e5d5
-
blank.png
- Size
- 82B (82 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 38c2ac6022f8ebf983bf5fadb1513b5c
- SHA1
- 996e6884ecba54ca16807df13fa2747b42018e54
- SHA256
- e0e99b0bd6d5ea3ced99add53cc98b6f8eea6eae8ddd773fd06f3489289385fb
-
logger.js
- Size
- 342B (342 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 0851294109cd003946502ca720a9a301
- SHA1
- 2753b085a8d0c77d5da6f0279faf982ff87a6651
- SHA256
- c83071024e827a584d4f81413041311e255bd55954732da9273a3150a27e300d
-
base32.js
- Size
- 6.6KiB (6715 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 8ca60cf7134772bd920235785f651d7a
- SHA1
- 9664fb7e7f73f7cbcabc637f72235948d999e636
- SHA256
- f2bae68d0eac5bc0db128950b4dda260c1729b71e8419bdfd5f2a2223a7e0530
-
boolean_double.js
- Size
- 153B (153 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 95da79c3d832dc6c04327f34b1a76385
- SHA1
- 2518e416a0c51df56d4c448216b79da1105bb034
- SHA256
- 85f12ddbfa94c71dda8e7c7db1b6b9d11d6aa2ca27df1701c89e4d3928475453
-
boolean_single.js
- Size
- 123B (123 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 02a1435cb39e0104c05bb3e4b5e99d70
- SHA1
- a56bdd028cdc66e7b7fc57c44c79186da5d331cf
- SHA256
- 9390dbda458407eb35ac8fd941fb8b5b7632ff61fc6eae51363b45c91fe61e29
-
default_hash.js
- Size
- 128B (128 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 2228ae81ff2b31a8a8cf5fac731cd714
- SHA1
- 1c3fa36f889758e7445b194530deb038e7c76cc9
- SHA256
- cb51dc9e271de112145ca01c813dbc27c0dedbb12e77ce839a47a2fa0106b695
-
default_singles.js
- Size
- 137B (137 bytes)
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- a8a54e79ecc60604fdc86d073ebf5c1d
- SHA1
- acdb64d1eba7abdbf007e49fdbde5d88c5ec7fe5
- SHA256
- 87aa8ec1f641e9e86efcfaed1a4b30db1f793553a61c584e0e228f9aa540a501
-
Blue Jeans Meeting Launcher.exe
- Size
- 143KiB (146360 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 6f982eed804c7178357f6a633833a154
- SHA1
- eefbb12929077b41b43205616a19ecc825bea6d2
- SHA256
- 118bd62b65acd10beba32e933e059c97da811e94c03fb70ae985ab797e107637
-
bjnAppCapture64.exe
- Size
- 395KiB (404408 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- bd664001ee34e58522a09e65c9d3e761
- SHA1
- ff811f5a4adf58f36f238d671643f8a2efe35daf
- SHA256
- c13d3fa34738e3427b412d42a420e86917d0d0c949948ebad60949876cf6a835
-
bjnAppCaptureDll32.dll
- Size
- 150KiB (153528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- ff688628f9a0574ba1efd8ad1b6b4786
- SHA1
- 617eb781834754eddcac01ff30e5f1040bb73422
- SHA256
- 0cacfb92694dce994543993d791672e65df977ec85c5e5269b05c48dd15d5671
-
bjnAppCaptureDll64.dll
- Size
- 171KiB (175544 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- b989715e4c6d8c04cfb7181ff4e38843
- SHA1
- facf309e88adccb197cb50e45b097a43c9992f07
- SHA256
- 5c9100154f70377ca457b8e8f4cc1f808a63c7f3ff6b3aaab0275f2651fdb436
-
AkamaiAdvancedJWStreamProvider-edge.swf
- Size
- 303KiB (310612 bytes)
- Type
- flash
- Description
- Macromedia Flash data (compressed), version 10
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- a66f8cb9f8cb6074a816b70f7511da9b
- SHA1
- ff8f8f75a219c053ac9e3aa9618604aa6cad626d
- SHA256
- e183bc00ada63b26b655816221b88bb9135ba95d277464653b7668c454cd98d3
-
ZeroClipboard-skinnydom.swf
- Size
- 1.4KiB (1453 bytes)
- Type
- flash
- Description
- Macromedia Flash data (compressed), version 9
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 28042ddccc1bddefc9a3834ceff0a56f
- SHA1
- 9a334a7bb6cae7cd0690d4be22f2c344847f6f9e
- SHA256
- cc1ec3ba285724cc730a7a68e305b809a58f01ad6508a1694646f9f63b961b2c
-
jwplayer.flash.swf
- Size
- 149KiB (152826 bytes)
- Type
- flash
- Description
- Macromedia Flash data (compressed), version 14
- Runtime Process
- BlueJeans.exe (PID: 1940)
- MD5
- 6edf972f532e6b8900ef1fc9cbafdcac
- SHA1
- 71cceca5d4f718f42e7f5b3640bbc768b4dfa4b8
- SHA256
- 900e6fe7637d4a66a8b7ff9ad65695e8eaf8a140ca8ef8620815c41a0d24e6cd
-
temp.msi
- Size
- 4MiB (4194304 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- Blue20Jeans20Launcher.exe (PID: 3096)
- MD5
- 40524313783fb13800f15592b66abae5
- SHA1
- fa218ebd6a8d8fb1b50c802933d66f3ac7c80bf8
- SHA256
- 5834cfa526855e019bfe79f681f0d1f3e8689b767c422d8d8a347d038b3dd527
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Extracted file "Blue Jeans Meeting Launcher.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/118bd62b65acd10beba32e933e059c97da811e94c03fb70ae985ab797e107637/analysis/1524190506/")
- Extracted file "bjn-ui-eye-open-grey-16.svg" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/78f4c6f16889a05ec8be028f33610a9107629a3cc6499a4c73f7d2627f778bbb/analysis/1524190510/")
- Extracted file "bjn-ui-loading-spinner-white-48.svg" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/771ecf32a36678572f79f89edacb6c7c073fbc55fa3996f65266c224a43eae88/analysis/1524190507/")
- Extracted file "bjnAppCapture64.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c13d3fa34738e3427b412d42a420e86917d0d0c949948ebad60949876cf6a835/analysis/1524190509/")
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for Blue20Jeans20Launcher.exe (PID: 3096)
- Not all file accesses are visible for BlueJeans.exe (PID: 1480)
- Not all file accesses are visible for BlueJeans.exe (PID: 1484)
- Not all file accesses are visible for BlueJeans.exe (PID: 1492)
- Not all file accesses are visible for BlueJeans.exe (PID: 1940)
- Not all file accesses are visible for BlueJeans.exe (PID: 344)
- Not all file accesses are visible for reg.exe (PID: 2700)
- Not all sources for indicator ID "api-11" are available in the report
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-39" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-10" are available in the report
- Not all sources for indicator ID "binary-16" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report