Analysis

  • max time kernel
    82s
  • max time network
    62s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/02/2023, 21:11

General

  • Target

    launcher.jar

  • Size

    3.9MB

  • MD5

    a7cae50be0f0efbc4b2615679ea0a4de

  • SHA1

    ec466e117fd221170f2d7ac8b7966d2fe314999a

  • SHA256

    81ab6677e3b37fb3d1a1dad4bb7ce7026d532f80985839376e5d00f8d6b7f8cd

  • SHA512

    300b0108507a7e775faa1f6c161387950f542431049aeacd5b4dc0e18b4d748342882612a3df07f32e5188789e50090ea5a440bc55ea359e5798a80a69566031

  • SSDEEP

    98304:2Gii/Z2sZ3ZAnXh9pmmGaOt0aYalan32F638os0DH:WWZ+xnOtdAgPP0DH

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\launcher.jar
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c ""C:\Program Files\Java\jre1.8.0_66\bin\javaw" -Xmx512m -cp "C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\launcher.jar" fr.salwyrr.launcher.frames.Main --salwyrr salwyrr "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw" -Xmx512m -cp "C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\launcher.jar" fr.salwyrr.launcher.frames.Main --salwyrr salwyrr
        3⤵
          PID:4936
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3648

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

            Filesize

            50B

            MD5

            048a706cc8ed48019881d4482b404979

            SHA1

            cc415f54dddefb8d82d32776fe68f80a0ac6f7df

            SHA256

            8da84ada4202f489c70bd3f22e5c185493f184e43e651d556d53596f319986d6

            SHA512

            3f5177de3ffd430dc53ef46fdbb665ee4c4c171c72fe9f772279ee13655905b875f9ebdc7865510d01434fc2447cef9d1e4e43404427dc6929fcdf908f911cb9

          • memory/2184-122-0x0000000002700000-0x0000000003700000-memory.dmp

            Filesize

            16.0MB

          • memory/4936-140-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

            Filesize

            16.0MB