41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919

Resubmissions

18/06/2023, 15:24

230618-stfkhsga79 10

18/06/2023, 15:22

230618-sr1gxaga72 10

07/06/2023, 11:48

230607-nyfzmahh26 7

Analysis

max time kernel
201s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/06/2023, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178.jar
Size

13.9MB
MD5

a7eeab7e2e90d0373ebfb15243bff81a
SHA1

fc32670a240a9e42ba6c453a68dec0933a85355f
SHA256

41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919
SHA512

bec9fe1bd4305326e307a9ebeb17d7e4ba3c4f0bc108e7d39c93a74faee174b762bb06a4ef7c4e04f4284c4e6c351aac249e74619d473a4539436e28a82a066f
SSDEEP

196608:pYBQXEPt5WaR6SynIRkIqZ81rI61CYYY+YA+X3vMMIYlRCu+EGlYxMrdhMTbnb:8rt5WaRRkZ81rtTidk/MMUlwmhMTLb

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jre-8u333-windows-i586.jar	javaw.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jre-8u333-windows-i586.jar	javaw.exe

Loads dropped DLL 3 IoCs

pid	Process
1236	java.exe
3240	javaw.exe
3240	javaw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	taskmgr.exe
2152	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	taskmgr.exe
Token: SeSystemProfilePrivilege	2152	taskmgr.exe
Token: SeCreateGlobalPrivilege	2152	taskmgr.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	taskmgr.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2152	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1236	java.exe
1236	java.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe
3240	javaw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 3240	1236	java.exe	85
PID 1236 wrote to memory of 3240	1236	java.exe	85
PID 3240 wrote to memory of 3384	3240	javaw.exe	87
PID 3240 wrote to memory of 3384	3240	javaw.exe	87
PID 3240 wrote to memory of 1532	3240	javaw.exe	91
PID 3240 wrote to memory of 1532	3240	javaw.exe	91

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\178.jar
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw" -jar "C:\Users\Admin\AppData\Local\Temp\178.jar" DELAY:3
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:3384
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:1532

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
ab5706066d4d6a51e288d01660c2fb19

SHA1
c778fc9889bdc5cd62e0be3b296951bfc808155f

SHA256
bf9aa4462aec9f142383ef90c67e7f44d1ec0125cb7b02e689dd7f762c029333

SHA512
03a85ad2ebf51697d0d12b5682b88622dee2c45e071e2a81d804bc8cb20d62c03ff6cc43e96a2751412d44f0b48d85f11cdfd9af57d693e11c43247cf8367803

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-385777659FA84E94A3812EB9A8AFAD27AE3CEED4.x86_64.dll

Filesize
80KB

MD5
e9a449971b9efb0a2e12b9cfdd95c076

SHA1
385777659fa84e94a3812eb9a8afad27ae3ceed4

SHA256
b8c331c9f915960201da9af9c9dc8309e95e7d533741e71f4a5d13ca007d3e18

SHA512
bbcaf66b316cb60c63bb190099bee36a0059f13fa35fdf3a9a3e7e9a5304abe57acd71d644cde554427825249b460d58f0aba79f599f0c6fa40d23ea21aa941d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7529788856505430283.x86_64.dll

Filesize
80KB

MD5
e9a449971b9efb0a2e12b9cfdd95c076

SHA1
385777659fa84e94a3812eb9a8afad27ae3ceed4

SHA256
b8c331c9f915960201da9af9c9dc8309e95e7d533741e71f4a5d13ca007d3e18

SHA512
bbcaf66b316cb60c63bb190099bee36a0059f13fa35fdf3a9a3e7e9a5304abe57acd71d644cde554427825249b460d58f0aba79f599f0c6fa40d23ea21aa941d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7529788856505430283.x86_64.dll

Filesize
80KB

MD5
e9a449971b9efb0a2e12b9cfdd95c076

SHA1
385777659fa84e94a3812eb9a8afad27ae3ceed4

SHA256
b8c331c9f915960201da9af9c9dc8309e95e7d533741e71f4a5d13ca007d3e18

SHA512
bbcaf66b316cb60c63bb190099bee36a0059f13fa35fdf3a9a3e7e9a5304abe57acd71d644cde554427825249b460d58f0aba79f599f0c6fa40d23ea21aa941d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna9065488366669332462.dll

Filesize
248KB

MD5
4de85f9679c3a75f6d7d3e56094aa106

SHA1
052f62fb2ebec89fbe412db480865910eab693ad

SHA256
3d1b2427b45ff5178bbb4db395758bedd3a1e91121ebb3e3640b5c4e20eb22cc

SHA512
e8357eabd548ffeba42715d891b9e1ed22b7bf720f48b1888407b9ebe7a796719c60a38f4fb8bb1cf32d3c9bed210a07cc227424ef991d356ec3acef9e6223ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\83aa4cc77f591dfc2374580bbd95f6ba_2007c659-eb65-4631-bf41-16f7650120a3

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/1236-158-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1236-143-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1236-155-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3240-175-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3240-185-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3240-187-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3240-211-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3240-213-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3240-254-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download