Analysis
-
max time kernel
159s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2023 13:08
Static task
static1
Behavioral task
behavioral1
Sample
c65c347ce9c62b8765831f0deb11be08eb8818c036587c1a2b0da2dab7aa5d7a.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
c65c347ce9c62b8765831f0deb11be08eb8818c036587c1a2b0da2dab7aa5d7a.jar
Resource
win10v2004-20230621-en
General
-
Target
c65c347ce9c62b8765831f0deb11be08eb8818c036587c1a2b0da2dab7aa5d7a.jar
-
Size
1.7MB
-
MD5
e93b8dddfc9715f1785ff8f554d538a8
-
SHA1
b422408ee20b3a939c498640feeec475356f1f40
-
SHA256
c65c347ce9c62b8765831f0deb11be08eb8818c036587c1a2b0da2dab7aa5d7a
-
SHA512
243a245bc98b1d638973880548004e2586bc77414190389028e1b71f51e97682bb4b6bd77038a54b19c03ad27e591f581adfa6dd2b5e5437e9bad58b78ac8f34
-
SSDEEP
24576:bkcaLIcf9nvqbObzSXDNcWWulzIR8mtZhtuVRfkN5khK8e4lLIghRh2GjL00dyJn:BaLIcJiybzSzGEq8etuVxa5kYl4h7SlF
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1688130610938.tmp" reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 3696 java.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
java.execmd.exedescription pid process target process PID 3696 wrote to memory of 4704 3696 java.exe cmd.exe PID 3696 wrote to memory of 4704 3696 java.exe cmd.exe PID 4704 wrote to memory of 1640 4704 cmd.exe reg.exe PID 4704 wrote to memory of 1640 4704 cmd.exe reg.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\c65c347ce9c62b8765831f0deb11be08eb8818c036587c1a2b0da2dab7aa5d7a.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1688130610938.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1688130610938.tmp" /f3⤵
- Adds Run key to start application
PID:1640