File verdict·Decided by the MT AI Engine

Our call

Safe

Item: 22qq-cracked-1.jar
Rating: 4.5
Author: MalwareTips File Scanner

Unsigned Java research tool; 17 tier-1 engines silent; javaagent instrumentation and reverse-engineering filename pattern consistent with dynamic analysis.

Trust score88High trust

MT AI confidence · 92%

22qq-cracked-1.jar

728.3 KB

e5d40123e79a888b36…ef6b26b3a2

Antivirus engines

0 of 75 flagged

Code signing

Unsigned

Age

First seen 2mo ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence

Very high

Reasoning

The file exhibits a clean engine consensus: zero malicious detections, 17 tier-1 engines silent, no tier-1 family agreement. The filename pattern and heuristic trigger ('filename_research_tool') align with Java reverse-engineering tooling. Sandbox behaviour shows javaagent instrumentation (jartracer.jar) and Java process execution — hallmarks of dynamic analysis, not malware. The two offensive MITRE techniques (service modification, tool disabling) are consistent with sandbox-evasion detection in a research context. No external-intel hits, no malicious children, no malicious contacted hosts. Community feedback explicitly rates it clean. The unsigned status is typical for research tools.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

0/66 engines malicious; tier1Malicious=0; 17 tier-1 engines (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, Avira, Emsisoft, F-Secure, GData, Ikarus, DrWeb, Avast, AVG) all silent
filenameAnalysis.looksLikeResearchTool=true; triggeredHeuristics 'filename_research_tool' fired (info severity)
Behaviour: 2 offensive MITRE (T1543.002, T1562.001) but 9 ambient; javaagent instrumentation (jartracer.jar) in sandbox execution — reverse-engineering pattern, not malware
droppedChildren: 6 inspected, 0 malicious; no malicious contacted hosts; no external-intel hits (CIRCL, MalwareBazaar, YARAify all negative)
Community annotation: 'Verdict: Clean Score: 0/100'; prevalence medium (251 submitters, 283 submissions) — consistent with shared research tool

Points in its favour

Zero malicious detections across 66 engines; 17 tier-1 vendors silent
Filename and heuristic pattern consistent with Java reverse-engineering tooling
Javaagent instrumentation (jartracer.jar) indicates dynamic-analysis framework, not malware
Medium prevalence (283 submissions, 251 sources) suggests legitimate community distribution
Community annotation explicitly rates file as clean

What to do

This file is safe to use in a controlled reverse-engineering or dynamic-analysis environment. No quarantine or remediation is necessary.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1064T1082T1106T1202T1497T1518.001T1543.002T1562.001T1564T1564.001T1564.003

Spawned processes

$(unnamed)

"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\<USER>\Desktop\download.jar"

$(unnamed)

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

$(unnamed)

C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\runtime.jar"" >> C:\cmdlinestart.log 2>&1

$(unnamed)

C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

$(unnamed)

"C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\runtime.jar"

$(unnamed)

/bin/sh sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

$(unnamed)

/usr/lib/rsyslog/rsyslog-rotate

$(unnamed)

/usr/bin/systemctl systemctl kill -s HUP rsyslog.service

+3 more processes captured.

Filesystem & mutexes

Files written11

C:\Users\<USER>\AppData\Local\Temp\hsperfdata_<USER>\5760
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8786.timestamp
C:\Users\user\AppData\Local\Temp\hsperfdata_user
C:\Users\user\AppData\Local\Temp\hsperfdata_user\6560

+6 more

Files deleted2

C:\Users\user\AppData\Local\Temp\hsperfdata_user\2240
/tmp/hsperfdata_root/5008

Dropped payload

Files this sample writes at runtime

This file drops 6 children at runtime. None are currently flagged malicious in our cache.

6 unseen

19c8e6fcfaa08d93fad2…0726acNever scanned
never seen before
5a6a533d0b3be4b15900…99cf58Never scanned
never seen before
3f8096f14540c8e18e4e…ad10b8Never scanned
never seen before
d87c5f3cdfb5b7c0510e…1ade9eNever scanned
never seen before
44a3bab2c338e3bca24c…d3b9e7Never scanned
never seen before
ac941ead01d5451a7a9f…253227Never scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-238 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

0flag

Heuristic / generic-AI engines (high FP rate)

All 75 engines report this file as clean.

Hash e5d40123e79a… cross-referenced against 75 AV engines via our AV network.

Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium

Unique uploaders

251

Hundreds of people have uploaded this — common.

Total submissions

283

Includes repeat uploads by the same source.

First seen by VT

2mo ago

Apr 16, 2026

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

4/16/2026, 9:58:12 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/6/2026, 4:26:04 AM

Scanned here

6/15/2026, 2:20:26 PM

File name: 22qq-cracked-1.jar
Size: 728.3 KB
MIME type: (unknown)
Detected type: JAR
SHA-256: e5d40123e79a888b36494bdd1e54052eddd7593b5e08405239a6f4ef6b26b3a2
MD5: da8249ed8d772589e8aa57f3c5b196c5
SHA-1: 24be9d2a27bb567e7829c742b6f74783ceeca426
First seen (VT): 4/16/2026, 9:58:12 PM
Last analysis (VT): 6/6/2026, 4:26:04 AM
First scan (MalwareTips): 6/15/2026, 2:20:26 PM
Last scan (MalwareTips): 6/15/2026, 2:20:26 PM

Behavior tags

long-sleepsjarsets-process-namechecks-cpu-namedetect-debug-environment

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.