Malware Analysis Report

2025-06-16 01:02

Sample ID 220217-m46xkabah6
Target NITAS POV211206 .jar
SHA256 de0320c054a777a1870ba945082e9afa76b09adc20f6214e2ed3a5de818f9ac3
Tags
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

de0320c054a777a1870ba945082e9afa76b09adc20f6214e2ed3a5de818f9ac3

Threat Level: Likely benign

The file NITAS POV211206 .jar was found to be: Likely benign.

Malicious Activity Summary


Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-02-17 11:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-17 11:02

Reported

2022-02-17 11:05

Platform

win7-en-20211208

Max time kernel

165s

Max time network

154s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\NITAS POV211206 .jar"

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\NITAS POV211206 .jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.113.4:443 github.com tcp
US 199.232.192.209:443 repo1.maven.org tcp

Files

memory/1796-55-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp

memory/1796-57-0x0000000002030000-0x00000000022A0000-memory.dmp

memory/1796-58-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1796-61-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1796-89-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1796-93-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1796-114-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-17 11:02

Reported

2022-02-17 11:05

Platform

win10v2004-en-20220113

Max time kernel

163s

Max time network

174s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\NITAS POV211206 .jar"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\NITAS POV211206 .jar"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 repo1.maven.org udp
US 140.82.114.3:443 github.com tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp

Files

memory/3068-131-0x0000000003070000-0x00000000032E0000-memory.dmp

memory/3068-132-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3068-138-0x00000000032E0000-0x00000000032F0000-memory.dmp

memory/3068-141-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3068-142-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3068-143-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3068-144-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3068-145-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3068-146-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3068-148-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3068-166-0x0000000003310000-0x0000000003320000-memory.dmp

memory/3068-181-0x0000000003320000-0x0000000003330000-memory.dmp

memory/3068-184-0x0000000003330000-0x0000000003340000-memory.dmp

memory/3068-188-0x0000000003340000-0x0000000003350000-memory.dmp

memory/3068-189-0x0000000003350000-0x0000000003360000-memory.dmp

memory/3068-193-0x0000000003360000-0x0000000003370000-memory.dmp

memory/3068-194-0x0000000003370000-0x0000000003380000-memory.dmp

memory/3420-216-0x00000198A7330000-0x00000198A7340000-memory.dmp

memory/3068-222-0x0000000003380000-0x0000000003390000-memory.dmp

memory/3068-233-0x0000000003390000-0x00000000033A0000-memory.dmp

memory/3068-241-0x00000000033A0000-0x00000000033B0000-memory.dmp