Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2023 11:46

General

  • Target

    jre-6u25-windows-x64.exe

  • Size

    16.1MB

  • MD5

    44632e1d79bec1790fe72f76dbab1e75

  • SHA1

    fe7248273ff57960fc151bf96d814bc8a297063b

  • SHA256

    5b623c9877ad3c91fbf0b98b109f09f4d251856eeab637a46af29e946af4ef91

  • SHA512

    5fe963bc83370abf35414f42e02b6fbd70d29d84c95b4292f81b040c8d33cdcdd9c0a81a8f3fc3ca3e8b8bfdb02d0ef6761729f88cf8eee44002092327b41fe9

  • SSDEEP

    393216:e0iHkoRtJOLRYLmfjZC9Pyqbmvuu34VJ5LRK:Wko4eLgk97acJFM

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jre-6u25-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-6u25-windows-x64.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.6.0_25_x64\jre1.6.0_25.msi" METHOD=joff
      2⤵
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4352
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 1310A8B33A6CBE38054ED19E45461818 C
      2⤵
      • Loads dropped DLL
      PID:2832

Network

  • flag-us
    DNS
    javadl-esd.sun.com
    jre-6u25-windows-x64.exe
    Remote address:
    8.8.8.8:53
    Request
    javadl-esd.sun.com
    IN A
    Response
    javadl-esd.sun.com
    IN CNAME
    javadl-esd-sino.sun.com.edgesuite.net
    javadl-esd-sino.sun.com.edgesuite.net
    IN CNAME
    a1799.d.akamai.net
    a1799.d.akamai.net
    IN A
    23.63.101.155
    a1799.d.akamai.net
    IN A
    23.63.101.154
  • flag-nl
    GET
    http://javadl-esd.sun.com/update/1.6.0/1.6.0_25-b06.xml
    jre-6u25-windows-x64.exe
    Remote address:
    23.63.101.155:80
    Request
    GET /update/1.6.0/1.6.0_25-b06.xml HTTP/1.1
    User-Agent: jupdate
    Host: javadl-esd.sun.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Type: application/xml
    ETag: "9e4d7a3b0782e5a37fba3e68a6ad06ad:1534185705"
    Last-Modified: Tue, 05 Sep 2017 18:42:35 GMT
    Server: AkamaiNetStorage
    Content-Length: 1299
    Expires: Wed, 19 Jul 2023 12:06:58 GMT
    Cache-Control: max-age=0, no-cache
    Pragma: no-cache
    Date: Wed, 19 Jul 2023 12:06:58 GMT
    Connection: keep-alive
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.20.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.20.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    155.101.63.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.101.63.23.in-addr.arpa
    IN PTR
    Response
    155.101.63.23.in-addr.arpa
    IN PTR
    a23-63-101-155deploystaticakamaitechnologiescom
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    202.74.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.74.101.95.in-addr.arpa
    IN PTR
    Response
    202.74.101.95.in-addr.arpa
    IN PTR
    a95-101-74-202deploystaticakamaitechnologiescom
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    63.13.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    63.13.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 23.63.101.155:80
    http://javadl-esd.sun.com/update/1.6.0/1.6.0_25-b06.xml
    http
    jre-6u25-windows-x64.exe
    440 B
    1.9kB
    7
    5

    HTTP Request

    GET http://javadl-esd.sun.com/update/1.6.0/1.6.0_25-b06.xml

    HTTP Response

    200
  • 8.8.8.8:53
    javadl-esd.sun.com
    dns
    jre-6u25-windows-x64.exe
    64 B
    176 B
    1
    1

    DNS Request

    javadl-esd.sun.com

    DNS Response

    23.63.101.155
    23.63.101.154

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    254.20.238.8.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    254.20.238.8.in-addr.arpa

  • 8.8.8.8:53
    155.101.63.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    155.101.63.23.in-addr.arpa

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
    145 B
    1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    202.74.101.95.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    202.74.101.95.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    63.13.109.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    63.13.109.52.in-addr.arpa

  • 8.8.8.8:53
    2.173.189.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.6.0_25_x64\jre1.6.0_25.msi

    Filesize

    666KB

    MD5

    dda7f40550bf9fe60d92c21a8b178ec2

    SHA1

    c521736f4b82ff666e5cadef80101dce08e1a5d3

    SHA256

    03557cf4e516fb1da79a7c9b0bb886235d98f6f006fe98cada13c27fd890a798

    SHA512

    7ae993c33c6b2e64e69b98d5a85bc654884dc4ce4d90dd71340495c1788683031a18aa5e691dff09c8a2aa3f725fdb730785901a670caf890c941606ad5afc26

  • C:\Users\Admin\AppData\Local\Temp\MSI8C81.tmp

    Filesize

    103KB

    MD5

    d1c4f355d9924611bf790ab7e9973806

    SHA1

    b688845aea73f6696c14187bdf31c46242090272

    SHA256

    1096d8b0e56e3f148ad1ef2dd2047344196719d2229e57d69d7d87b73c505f94

    SHA512

    5fb79e0a88350f0508570062b7206f0f3161e738f7d9e9a217d74776a143dcd5e399741eedca71e0dea16f09a5b2c9f782750d6b0951aaf0d48603cf95f7b1bb

  • C:\Users\Admin\AppData\Local\Temp\MSI8C81.tmp

    Filesize

    103KB

    MD5

    d1c4f355d9924611bf790ab7e9973806

    SHA1

    b688845aea73f6696c14187bdf31c46242090272

    SHA256

    1096d8b0e56e3f148ad1ef2dd2047344196719d2229e57d69d7d87b73c505f94

    SHA512

    5fb79e0a88350f0508570062b7206f0f3161e738f7d9e9a217d74776a143dcd5e399741eedca71e0dea16f09a5b2c9f782750d6b0951aaf0d48603cf95f7b1bb

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.