3de86c34ce7eb40bc54172b7fd3803140744633433231105278b480daf27bf01

Resubmissions

16/09/2022, 22:30

220916-2e4s8scfcm 6

16/09/2022, 20:20

220916-y4lgeacdcr 6

Analysis

max time kernel
338s
max time network
397s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2022, 20:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

roblox.jar
Size

1010KB
MD5

3bbc7277d7d2d55aaf7ba52ecbd7e0a9
SHA1

4c36c69cbc3e02705f9815b4aa3db4d1f163f0b7
SHA256

3de86c34ce7eb40bc54172b7fd3803140744633433231105278b480daf27bf01
SHA512

877ae2c907a84ba2b44f8ac171e0b70a8782759eb9486c936d0f02c4dcd7ce50a7c67dc8c0e8d2c8f4efd095e9f79e20d2a3872b275a56b6b776cc152de4f405
SSDEEP

12288:fu9vibs8gZmCZSY+41Wxwc3yjUxS9+KJ84D8g7BlfseikeBbG3EgWnX0uwBbEp7/:m9v0s/ZvcY7ebxOjD5Te1GUrnlwOpD

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1663366854913.tmp"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
328	3720	WerFault.exe	32

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3400	java.exe
3400	java.exe
3400	java.exe
3400	java.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4520	3400	java.exe	84
PID 3400 wrote to memory of 4520	3400	java.exe	84
PID 3400 wrote to memory of 3876	3400	java.exe	86
PID 3400 wrote to memory of 3876	3400	java.exe	86
PID 3876 wrote to memory of 3580	3876	cmd.exe	88
PID 3876 wrote to memory of 3580	3876	cmd.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4520	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\roblox.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1663366854913.tmp
  2⤵
  - Views/modifies file attributes
  PID:4520
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1663366854913.tmp" /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1663366854913.tmp" /f
    3⤵
    - Adds Run key to start application
    PID:3580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3720 -ip 3720
1⤵
PID:3780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3720 -s 772
1⤵
- Program crash
PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1663366854913.tmp

Filesize
1010KB

MD5
3bbc7277d7d2d55aaf7ba52ecbd7e0a9

SHA1
4c36c69cbc3e02705f9815b4aa3db4d1f163f0b7

SHA256
3de86c34ce7eb40bc54172b7fd3803140744633433231105278b480daf27bf01

SHA512
877ae2c907a84ba2b44f8ac171e0b70a8782759eb9486c936d0f02c4dcd7ce50a7c67dc8c0e8d2c8f4efd095e9f79e20d2a3872b275a56b6b776cc152de4f405

Download Submit
memory/3400-180-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-190-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-206-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-153-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-205-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-157-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-160-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-161-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-164-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-166-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-167-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-168-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-169-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-170-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-171-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-172-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-173-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-174-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-176-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-177-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-181-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-204-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-136-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-182-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-183-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-184-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-185-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-186-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-187-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-188-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-189-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-178-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-191-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-192-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-193-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-194-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-195-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-198-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-199-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-200-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/3400-202-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads