Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-04-2021 03:33
Behavioral task
behavioral1
Sample
nJhfKDwP.exe
Resource
win7v20210410
General
-
Target
nJhfKDwP.exe
-
Size
52KB
-
MD5
4198b4aad34131326392f6ff004bdc3b
-
SHA1
343397a61c1cb5d96db6c382d0d100a71b7a5675
-
SHA256
95fbecb2d0b0aa0fa80e02732237fc9eb43fc9f8af1efff062435b44b57f1a03
-
SHA512
818bfce435a35ddb4d0441235aee77a371334c87c66e7cf261c494ff4feada5dc0c21faee15480aa43e6627f5941dacd32363d5010a2666830f6a21435616e95
Malware Config
Extracted
asyncrat
0.5.7B
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:4782
cademc.zapto.org:6606
cademc.zapto.org:7707
cademc.zapto.org:8808
cademc.zapto.org:4782
AsyncMutex_6SI8OkPnk
-
aes_key
ZhQQk94aHNZ5cX6T38xeg5GO1INH17ha
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
127.0.0.1,cademc.zapto.org
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808,4782
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\JDKUpdater.exe asyncrat C:\Users\Admin\AppData\Roaming\JDKUpdater.exe asyncrat -
Executes dropped EXE 1 IoCs
Processes:
JDKUpdater.exepid process 1300 JDKUpdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2832 timeout.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
nJhfKDwP.exepid process 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe 620 nJhfKDwP.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nJhfKDwP.exeJDKUpdater.exedescription pid process Token: SeDebugPrivilege 620 nJhfKDwP.exe Token: SeDebugPrivilege 1300 JDKUpdater.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
nJhfKDwP.execmd.execmd.exedescription pid process target process PID 620 wrote to memory of 3468 620 nJhfKDwP.exe cmd.exe PID 620 wrote to memory of 3468 620 nJhfKDwP.exe cmd.exe PID 620 wrote to memory of 3468 620 nJhfKDwP.exe cmd.exe PID 620 wrote to memory of 1908 620 nJhfKDwP.exe cmd.exe PID 620 wrote to memory of 1908 620 nJhfKDwP.exe cmd.exe PID 620 wrote to memory of 1908 620 nJhfKDwP.exe cmd.exe PID 3468 wrote to memory of 1308 3468 cmd.exe schtasks.exe PID 3468 wrote to memory of 1308 3468 cmd.exe schtasks.exe PID 3468 wrote to memory of 1308 3468 cmd.exe schtasks.exe PID 1908 wrote to memory of 2832 1908 cmd.exe timeout.exe PID 1908 wrote to memory of 2832 1908 cmd.exe timeout.exe PID 1908 wrote to memory of 2832 1908 cmd.exe timeout.exe PID 1908 wrote to memory of 1300 1908 cmd.exe JDKUpdater.exe PID 1908 wrote to memory of 1300 1908 cmd.exe JDKUpdater.exe PID 1908 wrote to memory of 1300 1908 cmd.exe JDKUpdater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nJhfKDwP.exe"C:\Users\Admin\AppData\Local\Temp\nJhfKDwP.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "JDKUpdater" /tr '"C:\Users\Admin\AppData\Roaming\JDKUpdater.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "JDKUpdater" /tr '"C:\Users\Admin\AppData\Roaming\JDKUpdater.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F36.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\JDKUpdater.exe"C:\Users\Admin\AppData\Roaming\JDKUpdater.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8F36.tmp.batMD5
87a16a34e5b45fef5628346a9725c21a
SHA1d955b6633b307fd85f7a25771beb60070e3eecc2
SHA25644c545602e6050954e0b031caaa6f04ebdedc0b488e7d0d0e66227daa5badc87
SHA512025e43d9622d582dd10047d1a063b2cd0bc18fc2c3ac01a9f9ee144f520edcdecd310f59e43520693a20e88d9dcc0bba4f01752c9dab50e17f60d145c1779449
-
C:\Users\Admin\AppData\Roaming\JDKUpdater.exeMD5
4198b4aad34131326392f6ff004bdc3b
SHA1343397a61c1cb5d96db6c382d0d100a71b7a5675
SHA25695fbecb2d0b0aa0fa80e02732237fc9eb43fc9f8af1efff062435b44b57f1a03
SHA512818bfce435a35ddb4d0441235aee77a371334c87c66e7cf261c494ff4feada5dc0c21faee15480aa43e6627f5941dacd32363d5010a2666830f6a21435616e95
-
C:\Users\Admin\AppData\Roaming\JDKUpdater.exeMD5
4198b4aad34131326392f6ff004bdc3b
SHA1343397a61c1cb5d96db6c382d0d100a71b7a5675
SHA25695fbecb2d0b0aa0fa80e02732237fc9eb43fc9f8af1efff062435b44b57f1a03
SHA512818bfce435a35ddb4d0441235aee77a371334c87c66e7cf261c494ff4feada5dc0c21faee15480aa43e6627f5941dacd32363d5010a2666830f6a21435616e95
-
memory/620-114-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/620-116-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/620-117-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/1300-123-0x0000000000000000-mapping.dmp
-
memory/1300-128-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/1308-120-0x0000000000000000-mapping.dmp
-
memory/1908-119-0x0000000000000000-mapping.dmp
-
memory/2832-122-0x0000000000000000-mapping.dmp
-
memory/3468-118-0x0000000000000000-mapping.dmp