Analysis

  • max time kernel
    93s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 23:31

General

  • Target

    2018_01_05__18_54_00__5961114448888.jar

  • Size

    446KB

  • MD5

    0216228659fc89d12e7f3b82bd84705d

  • SHA1

    6cae5d56769b3ececad6165ff26c3b364a08d7a4

  • SHA256

    260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61

  • SHA512

    f146555c1ac5d17e98f36302e577285c3eba7fb34387029ac383f9e299e8f7a62fd9bd1cf6cddc057431d74445f03396de347f4df916bc35deab00deb437107e

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\2018_01_05__18_54_00__5961114448888.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\ProgramData\Oracle\Java\javapath\java.exe
      java -jar C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF7938656355765313016.JAR istmp
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7845228132344352981.vbs
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Windows\system32\cscript.exe
          cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7845228132344352981.vbs
          4⤵
            PID:2420
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6341562289461433663.vbs
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3112
          • C:\Windows\system32\cscript.exe
            cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6341562289461433663.vbs
            4⤵
              PID:2852
          • C:\Windows\SYSTEM32\xcopy.exe
            xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
            3⤵
              PID:4736
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe
              3⤵
                PID:4480
              • C:\Windows\SYSTEM32\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v QYraFnSZOca /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc\"" /f
                3⤵
                • Adds Run key to start application
                • Modifies registry key
                PID:2720
              • C:\Windows\SYSTEM32\attrib.exe
                attrib +h "C:\Users\Admin\WCUkqDHuYPW.jpg\*.*"
                3⤵
                • Views/modifies file attributes
                PID:3132
              • C:\Windows\SYSTEM32\attrib.exe
                attrib +h "C:\Users\Admin\WCUkqDHuYPW.jpg"
                3⤵
                • Views/modifies file attributes
                PID:3900
              • C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
                C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:4772
            • C:\Windows\SYSTEM32\REG.exe
              REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "REalTechInfo" /t REG_SZ /F /D "java -jar "C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF7938656355765313016.JAR istmp""
              2⤵
                PID:3332

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

              Filesize

              50B

              MD5

              fd9a098d9854dced4696373e7ec5e5f3

              SHA1

              098285c0a173f1b14691dda5b7653be59c6e7fb7

              SHA256

              86b60fbc03de007ce717ae558a1682e246e22c3d065a2406d2bb6b865088e506

              SHA512

              bd9e211d59e387f056d1a258f044d21c769f2ad4a01ac8065d6f5cd46ad7b05214dff7b0930e3c27e051853836fdf1daf86ffbe928ff86449cbffb116f867991

            • C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF7938656355765313016.JAR

              Filesize

              446KB

              MD5

              0216228659fc89d12e7f3b82bd84705d

              SHA1

              6cae5d56769b3ececad6165ff26c3b364a08d7a4

              SHA256

              260c43ebb152717fa39c829490e695886d134f582680237bc3d9eb39ab7e4e61

              SHA512

              f146555c1ac5d17e98f36302e577285c3eba7fb34387029ac383f9e299e8f7a62fd9bd1cf6cddc057431d74445f03396de347f4df916bc35deab00deb437107e

            • C:\Users\Admin\AppData\Local\Temp\Retrive6341562289461433663.vbs

              Filesize

              281B

              MD5

              a32c109297ed1ca155598cd295c26611

              SHA1

              dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

              SHA256

              45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

              SHA512

              70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

            • C:\Users\Admin\AppData\Local\Temp\Retrive7845228132344352981.vbs

              Filesize

              276B

              MD5

              3bdfd33017806b85949b6faa7d4b98e4

              SHA1

              f92844fee69ef98db6e68931adfaa9a0a0f8ce66

              SHA256

              9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

              SHA512

              ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1809750270-3141839489-3074374771-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c7a2658-1166-4e8e-b7f6-c01b4ff97801

              Filesize

              45B

              MD5

              c8366ae350e7019aefc9d1e6e6a498c6

              SHA1

              5731d8a3e6568a5f2dfbbc87e3db9637df280b61

              SHA256

              11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

              SHA512

              33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

              Filesize

              155KB

              MD5

              ce330d52fc60db54ddfb463ad2280722

              SHA1

              9506dfdaf3db5636a45b6e06006670387c62746c

              SHA256

              ec55bc29ddec5cfbe53cb366b6d1ce5011323f48b8411f22e27ba8dfe7cfbea9

              SHA512

              56e4cb6d55b166fbcaa2feeaa80b230f109cedadba2af0d7dfef80ae6289a49c00515f4d00e70d34355bc13ac98cc200b6a298046ce63e55f6c7a05668bd181c

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

              Filesize

              155KB

              MD5

              ce330d52fc60db54ddfb463ad2280722

              SHA1

              9506dfdaf3db5636a45b6e06006670387c62746c

              SHA256

              ec55bc29ddec5cfbe53cb366b6d1ce5011323f48b8411f22e27ba8dfe7cfbea9

              SHA512

              56e4cb6d55b166fbcaa2feeaa80b230f109cedadba2af0d7dfef80ae6289a49c00515f4d00e70d34355bc13ac98cc200b6a298046ce63e55f6c7a05668bd181c

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

              Filesize

              202KB

              MD5

              aa120c29e7202ce9ae9c0752284c7e36

              SHA1

              94e7d33ccab298c67b1cc816d3c228cc7e6b84e4

              SHA256

              449036069e2bfe7ec052a614be07ad7105a3203d974d46423c0c32d6ce888661

              SHA512

              1442856f08213f4a356cd404c50a65a12b908f6fb86c299d636af595577ef8af82294ad4237fbb025578b946e8f179b9eed0f6d6c4aa88970bfb228ae8c767f8

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

              Filesize

              809KB

              MD5

              df3ca8d16bded6a54977b30e66864d33

              SHA1

              b7b9349b33230c5b80886f5c1f0a42848661c883

              SHA256

              1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

              SHA512

              951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

              Filesize

              809KB

              MD5

              df3ca8d16bded6a54977b30e66864d33

              SHA1

              b7b9349b33230c5b80886f5c1f0a42848661c883

              SHA256

              1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

              SHA512

              951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

              Filesize

              8.4MB

              MD5

              ef745af1ddd4826d206f1942fa0e4b6f

              SHA1

              3260b76ca72e6ac80f8551d8fcba9926438cd838

              SHA256

              ff71a50534d0849b810b20c9403300aba6df4ee09fa00127c95f67c1c51f18d8

              SHA512

              cad9b9bd1f381b4b05d404ee1809db6737498a362c74d196104c647d0b66cde80554957ece14147c2a850a4245020052ac2c1ad4949eed72273a1e6f8a7261eb

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

              Filesize

              8.4MB

              MD5

              ef745af1ddd4826d206f1942fa0e4b6f

              SHA1

              3260b76ca72e6ac80f8551d8fcba9926438cd838

              SHA256

              ff71a50534d0849b810b20c9403300aba6df4ee09fa00127c95f67c1c51f18d8

              SHA512

              cad9b9bd1f381b4b05d404ee1809db6737498a362c74d196104c647d0b66cde80554957ece14147c2a850a4245020052ac2c1ad4949eed72273a1e6f8a7261eb

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

              Filesize

              48KB

              MD5

              b140730c68a0d3e52d4533f4fb32dce8

              SHA1

              82687e557c57534f1e54f14a016eaac0f375e83d

              SHA256

              88cabc3823364a5abf3525f0aeaee11ba7353796e78cfb1aa5c047c35db2d943

              SHA512

              9f1cdee973c9c16b2f965118e12df571410c8e5bfb010e8738231ad59548c2999673f57f963cb3e4a2d71d6bc4fd714b4624556ed3530fa9b987a82fa5c7d4fe

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

              Filesize

              48KB

              MD5

              b140730c68a0d3e52d4533f4fb32dce8

              SHA1

              82687e557c57534f1e54f14a016eaac0f375e83d

              SHA256

              88cabc3823364a5abf3525f0aeaee11ba7353796e78cfb1aa5c047c35db2d943

              SHA512

              9f1cdee973c9c16b2f965118e12df571410c8e5bfb010e8738231ad59548c2999673f57f963cb3e4a2d71d6bc4fd714b4624556ed3530fa9b987a82fa5c7d4fe

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

              Filesize

              75KB

              MD5

              a56686411fc41f3abeea19f129935ee9

              SHA1

              6cb98bbc9d0e779a44dd0608cb2c7645c33de4e6

              SHA256

              0f906562f61761f3c66150362abfb04b4ca37c82071e91cc89d43fac5d7425ec

              SHA512

              be74f0a89c702e189d617a96d6b36506777c48ad41a2daaf43d7bf5719b8055de34ee567417b75ee6fadc1fa740a7e1c5f8d890723890b2c9e49965e469f352e

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

              Filesize

              75KB

              MD5

              a56686411fc41f3abeea19f129935ee9

              SHA1

              6cb98bbc9d0e779a44dd0608cb2c7645c33de4e6

              SHA256

              0f906562f61761f3c66150362abfb04b4ca37c82071e91cc89d43fac5d7425ec

              SHA512

              be74f0a89c702e189d617a96d6b36506777c48ad41a2daaf43d7bf5719b8055de34ee567417b75ee6fadc1fa740a7e1c5f8d890723890b2c9e49965e469f352e

            • C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg

              Filesize

              634B

              MD5

              499f2a4e0a25a41c1ff80df2d073e4fd

              SHA1

              e2469cbe07e92d817637be4e889ebb74c3c46253

              SHA256

              80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

              SHA512

              7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

            • C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index

              Filesize

              2KB

              MD5

              91aa6ea7320140f30379f758d626e59d

              SHA1

              3be2febe28723b1033ccdaa110eaf59bbd6d1f96

              SHA256

              4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

              SHA512

              03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

            • C:\Users\Admin\WCUkqDHuYPW.jpg\ID.txt

              Filesize

              47B

              MD5

              0b96dfd5f9239917c9bcee4d6b3f638d

              SHA1

              cbe6ccbde3fe09b426c201dedb032de70713242c

              SHA256

              96467d8a2395aa883ccdd0eb398b045906247c6e99ef2ed59316e610fdab52e1

              SHA512

              645d64465f2ad75098c068597048abac4c4757e82f3d4c2a65bfc3894f7a0bef25d27a77f29d1a3f3a14362f2a1668cf2938a8a89d48c4ce1243f0476492328b

            • C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc

              Filesize

              399KB

              MD5

              093ac0d0747d88c9a27a3426eda6afb9

              SHA1

              11b1c7704788b7d0066cda44152a00a53e216bb1

              SHA256

              267ecdcbd7bd564398711133eea96b0747bb284f4dc9238f0393d9545a1d4ff7

              SHA512

              73c2eb0e5da0abf70854bbf798c4d59e9b76b5860a116b7ca69057f4b16283d25a53818c795dc7359089cd6fd563c1ca04ce6f403340316c137b279ccacdcaa8

            • memory/2300-182-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-180-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-208-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-185-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-171-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-207-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-154-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-181-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-168-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-179-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-164-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-176-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-190-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/2300-165-0x0000000002BD0000-0x0000000003BD0000-memory.dmp

              Filesize

              16.0MB

            • memory/4340-139-0x0000000002740000-0x0000000003740000-memory.dmp

              Filesize

              16.0MB