Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 23:31
Static task
static1
Behavioral task
behavioral1
Sample
260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61.jar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61.jar
Resource
win10v2004-20220414-en
General
-
Target
260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61.jar
-
Size
446KB
-
MD5
0216228659fc89d12e7f3b82bd84705d
-
SHA1
6cae5d56769b3ececad6165ff26c3b364a08d7a4
-
SHA256
260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61
-
SHA512
f146555c1ac5d17e98f36302e577285c3eba7fb34387029ac383f9e299e8f7a62fd9bd1cf6cddc057431d74445f03396de347f4df916bc35deab00deb437107e
Malware Config
Signatures
-
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1000 2128 java.exe 80 PID 2128 wrote to memory of 1000 2128 java.exe 80 PID 2128 wrote to memory of 4280 2128 java.exe 82 PID 2128 wrote to memory of 4280 2128 java.exe 82
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61.jar1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF8088594803214420465.JAR istmp2⤵
- Drops file in Program Files directory
PID:1000
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "REalTechInfo" /t REG_SZ /F /D "java -jar "C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF8088594803214420465.JAR istmp""2⤵PID:4280
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD59e46af1aea19942a895400a5c3e75bbf
SHA17675ef617c2b25c0161a11a12c913dc64f954699
SHA256ec354c6bdcf893a5cbc0bd8b2b8c196dcce5c7f3cca1683eb7c2e08ffccc36ba
SHA5120caaffc46adaf63241b6cb4792befd1a95ad8380e147259805b2f5e447596c4d3716ae5c2a97e0d0bf2482d85c2d53ea9d93fb671b0069554668791dd83cd210
-
Filesize
446KB
MD50216228659fc89d12e7f3b82bd84705d
SHA16cae5d56769b3ececad6165ff26c3b364a08d7a4
SHA256260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61
SHA512f146555c1ac5d17e98f36302e577285c3eba7fb34387029ac383f9e299e8f7a62fd9bd1cf6cddc057431d74445f03396de347f4df916bc35deab00deb437107e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1809750270-3141839489-3074374771-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c7a2658-1166-4e8e-b7f6-c01b4ff97801
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd