Malware Analysis Report

2024-12-07 20:52

Sample ID 230824-mhhb3sdc41
Target 2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar
SHA256 2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e
Tags
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e

Threat Level: Likely benign

The file 2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar was found to be: Likely benign.

Malicious Activity Summary


Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-24 10:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-24 10:27

Reported

2023-08-24 10:29

Platform

win10-20230703-en

Max time kernel

8s

Max time network

98s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\810424605.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 5116 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 1100 wrote to memory of 5116 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 5116 wrote to memory of 4204 N/A C:\Windows\SYSTEM32\wscript.exe C:\Windows\System32\WScript.exe
PID 5116 wrote to memory of 4204 N/A C:\Windows\SYSTEM32\wscript.exe C:\Windows\System32\WScript.exe

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Admin\auadjkcvuo.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\prpqwy.txt"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.047072078428894053091465460767613926.class

Network

Files

memory/1100-4-0x0000000002490000-0x0000000003490000-memory.dmp

memory/1100-13-0x0000000000960000-0x0000000000961000-memory.dmp

C:\Users\Admin\auadjkcvuo.js

MD5 e6ed63c61a7ca096c6f6c34a2fee8f3e
SHA1 d30f07297d8721b6bdd1d4fb0ae3fd2974756cce
SHA256 fd7bd01b7bfae6a1e7b081bfd04199063e3155cd9744142b136c6bcbfe6bd4a0
SHA512 933f539ac918eaa17d8a4e01c354ea4078a6239702e90bb7e32e51d15156bd8053a37c4fd5c3ace2d2f22857600b92e3a78e7fb90184806e9a20d48b12b61123

C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js

MD5 75570c99891c0563e8d1ab94999955a7
SHA1 fd9fe8d5d438d1a7b12069ee770654a5a283d08d
SHA256 1c47f96f2b1be9434870a1fec926c344ef74106ed2c0fd4c9c0f985c5607e775
SHA512 b64f2bf6dbb8cb97106760a37fbdab600e8c71f0a668f6f10a5155543294c2ac310b6becfdccc306d12e26b84e1fe7a264894411e751e3e2d0b9c87bb4221ec5

C:\Users\Admin\AppData\Roaming\prpqwy.txt

MD5 e4b4412a2e52f64ef1beb46cd4721869
SHA1 0d0f4da4f00ae3f424c3d70dd8a0426110696c4c
SHA256 7b7eb48626556344bbdddfb6d37173be5032093087635c81cb236e1d43c94b3c
SHA512 38e2e1813dcc5c7770d46611dde3cfebab1773c1837659ec662c0f38690d95aa48e3f732ff210e61216f9d3dc5530c8b754fb29c17cb3990409364acd8856144

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 378f8128f46ac560c99ea774d9ebd411
SHA1 4e8a1d3177fe5fd9f716acd920b71c87935db46c
SHA256 f28a9e4139addf5b53fd040af5e03730db7fc90e3fcfa32d800e426118f2f102
SHA512 8b26353587cd86301a18ab41f4ec02724abed3962310e59a7f3b1ff040f89dafd75b34b186bd568abda5a64fc5422999dbe0e26562cbae9442930d0474e51f5a

memory/4824-31-0x0000000002780000-0x0000000003780000-memory.dmp

memory/4824-38-0x0000000000780000-0x0000000000781000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_0.047072078428894053091465460767613926.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/1348-56-0x0000000003290000-0x0000000004290000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 c4a42ad6ac77d770171fd843920e30e2
SHA1 8940bd231cfd1d468755e1d169a67a047cc2f91a
SHA256 21dbe776da7740502efc56731b477fa03dd97e3574f1318c03efd8204ac53285
SHA512 36f6e1e8500485d2c00399b7593f89edc4458588b3e6eed502d568df7b7d5070064fff172db75cf33e8bec19d0f3d122800ea80b1b7d7cb6035a948723bb80f6

memory/1348-58-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/1348-62-0x0000000002F90000-0x0000000002F91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1148472871-1113856141-1322182616-1000\83aa4cc77f591dfc2374580bbd95f6ba_56102b4f-820e-4a73-b05f-d08577ab0d91

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/4824-72-0x0000000002780000-0x0000000003780000-memory.dmp

memory/4824-74-0x0000000000780000-0x0000000000781000-memory.dmp

memory/4824-78-0x0000000000780000-0x0000000000781000-memory.dmp

memory/4824-80-0x0000000000780000-0x0000000000781000-memory.dmp

memory/1348-88-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/4824-92-0x0000000000780000-0x0000000000781000-memory.dmp

memory/4824-94-0x0000000002780000-0x0000000003780000-memory.dmp

memory/1348-100-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/4824-101-0x0000000000780000-0x0000000000781000-memory.dmp