Analysis
-
max time kernel
93s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 23:31
Static task
static1
Behavioral task
behavioral1
Sample
2018_01_05__18_54_00__5961114448888.jar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2018_01_05__18_54_00__5961114448888.jar
Resource
win10v2004-20220414-en
General
-
Target
2018_01_05__18_54_00__5961114448888.jar
-
Size
446KB
-
MD5
0216228659fc89d12e7f3b82bd84705d
-
SHA1
6cae5d56769b3ececad6165ff26c3b364a08d7a4
-
SHA256
260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61
-
SHA512
f146555c1ac5d17e98f36302e577285c3eba7fb34387029ac383f9e299e8f7a62fd9bd1cf6cddc057431d74445f03396de347f4df916bc35deab00deb437107e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4772 javaw.exe -
Loads dropped DLL 5 IoCs
pid Process 4772 javaw.exe 4772 javaw.exe 4772 javaw.exe 4772 javaw.exe 4772 javaw.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QYraFnSZOca = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\WCUkqDHuYPW.jpg\\WUFKYxLvepBd.JStdFc\"" reg.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\test.txt java.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2720 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2300 java.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4340 wrote to memory of 2300 4340 java.exe 84 PID 4340 wrote to memory of 2300 4340 java.exe 84 PID 4340 wrote to memory of 3332 4340 java.exe 86 PID 4340 wrote to memory of 3332 4340 java.exe 86 PID 2300 wrote to memory of 1536 2300 java.exe 88 PID 2300 wrote to memory of 1536 2300 java.exe 88 PID 1536 wrote to memory of 2420 1536 cmd.exe 90 PID 1536 wrote to memory of 2420 1536 cmd.exe 90 PID 2300 wrote to memory of 3112 2300 java.exe 91 PID 2300 wrote to memory of 3112 2300 java.exe 91 PID 3112 wrote to memory of 2852 3112 cmd.exe 93 PID 3112 wrote to memory of 2852 3112 cmd.exe 93 PID 2300 wrote to memory of 4736 2300 java.exe 94 PID 2300 wrote to memory of 4736 2300 java.exe 94 PID 2300 wrote to memory of 4480 2300 java.exe 97 PID 2300 wrote to memory of 4480 2300 java.exe 97 PID 2300 wrote to memory of 2720 2300 java.exe 99 PID 2300 wrote to memory of 2720 2300 java.exe 99 PID 2300 wrote to memory of 3132 2300 java.exe 100 PID 2300 wrote to memory of 3132 2300 java.exe 100 PID 2300 wrote to memory of 3900 2300 java.exe 102 PID 2300 wrote to memory of 3900 2300 java.exe 102 PID 2300 wrote to memory of 4772 2300 java.exe 103 PID 2300 wrote to memory of 4772 2300 java.exe 103 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3132 attrib.exe 3900 attrib.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\2018_01_05__18_54_00__5961114448888.jar1⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF7938656355765313016.JAR istmp2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7845228132344352981.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7845228132344352981.vbs4⤵PID:2420
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6341562289461433663.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6341562289461433663.vbs4⤵PID:2852
-
-
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e3⤵PID:4736
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe3⤵PID:4480
-
-
C:\Windows\SYSTEM32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v QYraFnSZOca /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2720
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +h "C:\Users\Admin\WCUkqDHuYPW.jpg\*.*"3⤵
- Views/modifies file attributes
PID:3132
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +h "C:\Users\Admin\WCUkqDHuYPW.jpg"3⤵
- Views/modifies file attributes
PID:3900
-
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exeC:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4772
-
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "REalTechInfo" /t REG_SZ /F /D "java -jar "C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF7938656355765313016.JAR istmp""2⤵PID:3332
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5fd9a098d9854dced4696373e7ec5e5f3
SHA1098285c0a173f1b14691dda5b7653be59c6e7fb7
SHA25686b60fbc03de007ce717ae558a1682e246e22c3d065a2406d2bb6b865088e506
SHA512bd9e211d59e387f056d1a258f044d21c769f2ad4a01ac8065d6f5cd46ad7b05214dff7b0930e3c27e051853836fdf1daf86ffbe928ff86449cbffb116f867991
-
Filesize
446KB
MD50216228659fc89d12e7f3b82bd84705d
SHA16cae5d56769b3ececad6165ff26c3b364a08d7a4
SHA256260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61
SHA512f146555c1ac5d17e98f36302e577285c3eba7fb34387029ac383f9e299e8f7a62fd9bd1cf6cddc057431d74445f03396de347f4df916bc35deab00deb437107e
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1809750270-3141839489-3074374771-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c7a2658-1166-4e8e-b7f6-c01b4ff97801
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
155KB
MD5ce330d52fc60db54ddfb463ad2280722
SHA19506dfdaf3db5636a45b6e06006670387c62746c
SHA256ec55bc29ddec5cfbe53cb366b6d1ce5011323f48b8411f22e27ba8dfe7cfbea9
SHA51256e4cb6d55b166fbcaa2feeaa80b230f109cedadba2af0d7dfef80ae6289a49c00515f4d00e70d34355bc13ac98cc200b6a298046ce63e55f6c7a05668bd181c
-
Filesize
155KB
MD5ce330d52fc60db54ddfb463ad2280722
SHA19506dfdaf3db5636a45b6e06006670387c62746c
SHA256ec55bc29ddec5cfbe53cb366b6d1ce5011323f48b8411f22e27ba8dfe7cfbea9
SHA51256e4cb6d55b166fbcaa2feeaa80b230f109cedadba2af0d7dfef80ae6289a49c00515f4d00e70d34355bc13ac98cc200b6a298046ce63e55f6c7a05668bd181c
-
Filesize
202KB
MD5aa120c29e7202ce9ae9c0752284c7e36
SHA194e7d33ccab298c67b1cc816d3c228cc7e6b84e4
SHA256449036069e2bfe7ec052a614be07ad7105a3203d974d46423c0c32d6ce888661
SHA5121442856f08213f4a356cd404c50a65a12b908f6fb86c299d636af595577ef8af82294ad4237fbb025578b946e8f179b9eed0f6d6c4aa88970bfb228ae8c767f8
-
Filesize
809KB
MD5df3ca8d16bded6a54977b30e66864d33
SHA1b7b9349b33230c5b80886f5c1f0a42848661c883
SHA2561d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0
-
Filesize
809KB
MD5df3ca8d16bded6a54977b30e66864d33
SHA1b7b9349b33230c5b80886f5c1f0a42848661c883
SHA2561d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0
-
Filesize
8.4MB
MD5ef745af1ddd4826d206f1942fa0e4b6f
SHA13260b76ca72e6ac80f8551d8fcba9926438cd838
SHA256ff71a50534d0849b810b20c9403300aba6df4ee09fa00127c95f67c1c51f18d8
SHA512cad9b9bd1f381b4b05d404ee1809db6737498a362c74d196104c647d0b66cde80554957ece14147c2a850a4245020052ac2c1ad4949eed72273a1e6f8a7261eb
-
Filesize
8.4MB
MD5ef745af1ddd4826d206f1942fa0e4b6f
SHA13260b76ca72e6ac80f8551d8fcba9926438cd838
SHA256ff71a50534d0849b810b20c9403300aba6df4ee09fa00127c95f67c1c51f18d8
SHA512cad9b9bd1f381b4b05d404ee1809db6737498a362c74d196104c647d0b66cde80554957ece14147c2a850a4245020052ac2c1ad4949eed72273a1e6f8a7261eb
-
Filesize
48KB
MD5b140730c68a0d3e52d4533f4fb32dce8
SHA182687e557c57534f1e54f14a016eaac0f375e83d
SHA25688cabc3823364a5abf3525f0aeaee11ba7353796e78cfb1aa5c047c35db2d943
SHA5129f1cdee973c9c16b2f965118e12df571410c8e5bfb010e8738231ad59548c2999673f57f963cb3e4a2d71d6bc4fd714b4624556ed3530fa9b987a82fa5c7d4fe
-
Filesize
48KB
MD5b140730c68a0d3e52d4533f4fb32dce8
SHA182687e557c57534f1e54f14a016eaac0f375e83d
SHA25688cabc3823364a5abf3525f0aeaee11ba7353796e78cfb1aa5c047c35db2d943
SHA5129f1cdee973c9c16b2f965118e12df571410c8e5bfb010e8738231ad59548c2999673f57f963cb3e4a2d71d6bc4fd714b4624556ed3530fa9b987a82fa5c7d4fe
-
Filesize
75KB
MD5a56686411fc41f3abeea19f129935ee9
SHA16cb98bbc9d0e779a44dd0608cb2c7645c33de4e6
SHA2560f906562f61761f3c66150362abfb04b4ca37c82071e91cc89d43fac5d7425ec
SHA512be74f0a89c702e189d617a96d6b36506777c48ad41a2daaf43d7bf5719b8055de34ee567417b75ee6fadc1fa740a7e1c5f8d890723890b2c9e49965e469f352e
-
Filesize
75KB
MD5a56686411fc41f3abeea19f129935ee9
SHA16cb98bbc9d0e779a44dd0608cb2c7645c33de4e6
SHA2560f906562f61761f3c66150362abfb04b4ca37c82071e91cc89d43fac5d7425ec
SHA512be74f0a89c702e189d617a96d6b36506777c48ad41a2daaf43d7bf5719b8055de34ee567417b75ee6fadc1fa740a7e1c5f8d890723890b2c9e49965e469f352e
-
Filesize
634B
MD5499f2a4e0a25a41c1ff80df2d073e4fd
SHA1e2469cbe07e92d817637be4e889ebb74c3c46253
SHA25680847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb
SHA5127828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d
-
Filesize
2KB
MD591aa6ea7320140f30379f758d626e59d
SHA13be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA2564af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA51203428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb
-
Filesize
47B
MD50b96dfd5f9239917c9bcee4d6b3f638d
SHA1cbe6ccbde3fe09b426c201dedb032de70713242c
SHA25696467d8a2395aa883ccdd0eb398b045906247c6e99ef2ed59316e610fdab52e1
SHA512645d64465f2ad75098c068597048abac4c4757e82f3d4c2a65bfc3894f7a0bef25d27a77f29d1a3f3a14362f2a1668cf2938a8a89d48c4ce1243f0476492328b
-
Filesize
399KB
MD5093ac0d0747d88c9a27a3426eda6afb9
SHA111b1c7704788b7d0066cda44152a00a53e216bb1
SHA256267ecdcbd7bd564398711133eea96b0747bb284f4dc9238f0393d9545a1d4ff7
SHA51273c2eb0e5da0abf70854bbf798c4d59e9b76b5860a116b7ca69057f4b16283d25a53818c795dc7359089cd6fd563c1ca04ce6f403340316c137b279ccacdcaa8