Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
29-06-2020 18:11
General
-
Target
IMG-29062020.jar
-
Size
608KB
-
MD5
e2fdebfb3346325ae26240e1c2e0319b
-
SHA1
e2731770f57600dd347759523db864cf8fd68e7a
-
SHA256
85b509c3352dde65b7dbd7c56207e2bcfe8245bf851132cbd61b93f4343077fc
-
SHA512
4e0f30e6f8adb8b3fd7d1af9120907884d3447e1a6b41d8fac9d6fb5ad8b5e90a223474bda641f64a3f2cfecba06229e562b37e12a2f310d2d09db07a39475d7
Score
10/10
Malware Config
Signatures
-
Loads dropped DLL 31 IoCs
-
Executes dropped EXE 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
AdWind
A Java-based RAT family operated as malware-as-a-service.
-
Modifies registry key 1 TTPs 1 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 90 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Drops file in System32 directory 3 IoCs
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\IMG-29062020.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\xdssilkvar.js2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rmeus.txt"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.204081774803700824238728904040171294.class4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5645672453198199077.vbs5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5645672453198199077.vbs6⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3446815263066391033.vbs5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3446815263066391033.vbs6⤵
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e5⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6596511074867152415.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6596511074867152415.vbs5⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7844688570652582015.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7844688570652582015.vbs5⤵
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e4⤵
-
C:\Windows\system32\cmd.execmd.exe4⤵
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v oLiRcQboziP /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\XtfbYFSllUG\HSlpmBTQGBC.ckIzMd\"" /f4⤵
- Modifies registry key
- Adds Run entry to start application
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\XtfbYFSllUG\*.*"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\XtfbYFSllUG"4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exeC:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\XtfbYFSllUG\HSlpmBTQGBC.ckIzMd4⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exeC:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.39214227785529443862500048043077720.class5⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3347458029807411711.vbs6⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3347458029807411711.vbs7⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3552676419193259699.vbs6⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3552676419193259699.vbs7⤵
-
C:\Windows\system32\cmd.execmd.exe6⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7735739204227951184.vbs5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7735739204227951184.vbs6⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7300778619641369173.vbs5⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7300778619641369173.vbs6⤵
-
C:\Windows\system32\cmd.execmd.exe5⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Retrive3347458029807411711.vbs
-
C:\Users\Admin\AppData\Local\Temp\Retrive3446815263066391033.vbs
-
C:\Users\Admin\AppData\Local\Temp\Retrive3552676419193259699.vbs
-
C:\Users\Admin\AppData\Local\Temp\Retrive5645672453198199077.vbs
-
C:\Users\Admin\AppData\Local\Temp\Retrive6596511074867152415.vbs
-
C:\Users\Admin\AppData\Local\Temp\Retrive7300778619641369173.vbs
-
C:\Users\Admin\AppData\Local\Temp\Retrive7735739204227951184.vbs
-
C:\Users\Admin\AppData\Local\Temp\Retrive7844688570652582015.vbs
-
C:\Users\Admin\AppData\Local\Temp\_0.204081774803700824238728904040171294.class
-
C:\Users\Admin\AppData\Local\Temp\_0.39214227785529443862500048043077720.class
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1131729243-447456001-3632642222-1000\83aa4cc77f591dfc2374580bbd95f6ba_bae8c589-5da1-4c62-be46-f8d74908cb8c
-
C:\Users\Admin\AppData\Roaming\Oracle\COPYRIGHT
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\management.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\net.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\sunmscapi.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\accessibility.properties
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\meta-index
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunec.jar
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunmscapi.jar
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\jce.jar
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\jsse.jar
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\net.properties
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\resources.jar
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\rt.jar
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\US_export_policy.jar
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\java.security
-
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\local_policy.jar
-
C:\Users\Admin\AppData\Roaming\rmeus.txt
-
C:\Users\Admin\XtfbYFSllUG\HSlpmBTQGBC.ckIzMd
-
C:\Users\Admin\XtfbYFSllUG\ID.txt
-
C:\Users\Admin\xdssilkvar.js
-
C:\Windows\System32\test.txt
-
C:\Windows\System32\test.txt
-
\Users\Admin\AppData\Local\Temp\Windows3159093458125071447.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
-
\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
-
\Users\Admin\AppData\Roaming\Oracle\bin\management.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\management.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\net.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\net.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\sunmscapi.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\sunmscapi.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
-
\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
-
memory/280-106-0x00000000024E0000-0x00000000024E4000-memory.dmpFilesize
16KB
-
memory/280-102-0x0000000000000000-mapping.dmp
-
memory/468-107-0x0000000000000000-mapping.dmp
-
memory/752-95-0x0000000000000000-mapping.dmp
-
memory/752-98-0x00000000026B0000-0x00000000026B4000-memory.dmpFilesize
16KB
-
memory/752-27-0x0000000000000000-mapping.dmp
-
memory/1124-5-0x00000000027B0000-0x00000000027B4000-memory.dmpFilesize
16KB
-
memory/1124-32-0x0000000000000000-mapping.dmp
-
memory/1124-1-0x0000000000000000-mapping.dmp
-
memory/1308-26-0x0000000002500000-0x0000000002504000-memory.dmpFilesize
16KB
-
memory/1308-22-0x0000000000000000-mapping.dmp
-
memory/1412-25-0x0000000002410000-0x0000000002414000-memory.dmpFilesize
16KB
-
memory/1412-21-0x0000000000000000-mapping.dmp
-
memory/1432-65-0x0000000000000000-mapping.dmp
-
memory/1484-30-0x0000000000000000-mapping.dmp
-
memory/1496-31-0x0000000000000000-mapping.dmp
-
memory/1512-3-0x0000000000000000-mapping.dmp
-
memory/1540-88-0x0000000000000000-mapping.dmp
-
memory/1548-101-0x0000000000000000-mapping.dmp
-
memory/1580-18-0x0000000002640000-0x0000000002644000-memory.dmpFilesize
16KB
-
memory/1580-13-0x0000000000000000-mapping.dmp
-
memory/1584-120-0x0000000000000000-mapping.dmp
-
memory/1608-28-0x0000000000000000-mapping.dmp
-
memory/1644-12-0x0000000000000000-mapping.dmp
-
memory/1648-40-0x0000000000000000-mapping.dmp
-
memory/1652-17-0x0000000002600000-0x0000000002604000-memory.dmpFilesize
16KB
-
memory/1652-14-0x0000000000000000-mapping.dmp
-
memory/1692-33-0x0000000000000000-mapping.dmp
-
memory/1816-110-0x0000000002640000-0x0000000002644000-memory.dmpFilesize
16KB
-
memory/1816-108-0x0000000000000000-mapping.dmp
-
memory/1840-93-0x0000000000000000-mapping.dmp
-
memory/1860-7-0x0000000000000000-mapping.dmp
-
memory/1932-11-0x0000000000000000-mapping.dmp
-
memory/1944-89-0x0000000000000000-mapping.dmp
-
memory/1944-92-0x0000000002470000-0x0000000002474000-memory.dmpFilesize
16KB
-
memory/1964-100-0x0000000000000000-mapping.dmp
-
memory/1992-112-0x0000000000000000-mapping.dmp
-
memory/2016-20-0x0000000000000000-mapping.dmp
-
memory/2028-19-0x0000000000000000-mapping.dmp