General

  • Target

    JavaTest.rar

  • Size

    92.5MB

  • Sample

    210122-9t9yt3s3ls

  • MD5

    c8d193ac8a6a5e82ef7e40f2d0d54a08

  • SHA1

    d666a27cebb119e84440bde3b1feb1bdf02f914b

  • SHA256

    8131cb31c52ac044f7bf1c6667d3379f094ea27819fa7f6c20951fefc6b3266b

  • SHA512

    a2f2587f26a5bfa7a202ec34e649626620e50941edfff7bd85e3617b2c99f068db3446a1e28ba64f9559cfc55894689cc2da8283cb768334b95b3e4e21def465

Malware Config

Targets

    • Target

      jre-8u281-windows-x64.exe

    • Size

      79.7MB

    • MD5

      c6136758f1fec04a2f7f01249280c315

    • SHA1

      5835e46596fe9f4dfe48fd5dd3947dc650d196ec

    • SHA256

      27fd9a85f2b49ae6a11b15e36ab28c0493d5572357edf2990a65a2b56f1e1157

    • SHA512

      045f33920fb3882d8f24c06e2179934601396636d2ddc360a2a6f03862e40b188506f8da530e4197e4a0e1c79cda48987e810425079377f357fbcf7950c6b030

    • Registers COM server for autorun

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks