Analysis
-
max time kernel
82s -
max time network
62s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/02/2023, 21:11
Static task
static1
Behavioral task
behavioral1
Sample
launcher.jar
Resource
win10-20220812-en
General
-
Target
launcher.jar
-
Size
3.9MB
-
MD5
a7cae50be0f0efbc4b2615679ea0a4de
-
SHA1
ec466e117fd221170f2d7ac8b7966d2fe314999a
-
SHA256
81ab6677e3b37fb3d1a1dad4bb7ce7026d532f80985839376e5d00f8d6b7f8cd
-
SHA512
300b0108507a7e775faa1f6c161387950f542431049aeacd5b4dc0e18b4d748342882612a3df07f32e5188789e50090ea5a440bc55ea359e5798a80a69566031
-
SSDEEP
98304:2Gii/Z2sZ3ZAnXh9pmmGaOt0aYalan32F638os0DH:WWZ+xnOtdAgPP0DH
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3648 taskmgr.exe Token: SeSystemProfilePrivilege 3648 taskmgr.exe Token: SeCreateGlobalPrivilege 3648 taskmgr.exe Token: 33 3648 taskmgr.exe Token: SeIncBasePriorityPrivilege 3648 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe -
Suspicious use of SendNotifyMessage 50 IoCs
pid Process 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2184 java.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2184 wrote to memory of 3508 2184 java.exe 67 PID 2184 wrote to memory of 3508 2184 java.exe 67 PID 3508 wrote to memory of 4936 3508 cmd.exe 68 PID 3508 wrote to memory of 4936 3508 cmd.exe 68
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\launcher.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c ""C:\Program Files\Java\jre1.8.0_66\bin\javaw" -Xmx512m -cp "C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\launcher.jar" fr.salwyrr.launcher.frames.Main --salwyrr salwyrr "2⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw" -Xmx512m -cp "C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\launcher.jar" fr.salwyrr.launcher.frames.Main --salwyrr salwyrr3⤵PID:4936
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5048a706cc8ed48019881d4482b404979
SHA1cc415f54dddefb8d82d32776fe68f80a0ac6f7df
SHA2568da84ada4202f489c70bd3f22e5c185493f184e43e651d556d53596f319986d6
SHA5123f5177de3ffd430dc53ef46fdbb665ee4c4c171c72fe9f772279ee13655905b875f9ebdc7865510d01434fc2447cef9d1e4e43404427dc6929fcdf908f911cb9