9d6cff1f9d4a7363027f53f4e85c8b74e235a2884463b7475fc1b83aee2d000e

General

Target

recaf-2.21.13-J8-jar-with-dependencies.jar
Size

19.8MB
MD5

2afa4c55d98d7f8834550126d303ec43
SHA1

991efc54627ed3bc9849f2f68a19cb40c4f1d538
SHA256

9d6cff1f9d4a7363027f53f4e85c8b74e235a2884463b7475fc1b83aee2d000e
SHA512

97e9bb1beb066a5fdab7976c956ebb66e891069cdfd857b2673702137bfc19d63fb23bef438f80e768a6b10b8c16ed18ed47e02d955bb0fa196a873320745816
SSDEEP

393216:P6TSCuyERST+ghM3moTHFtjguAnHIUZjW3REpFYXMdoCjEYvSNg9:P6fWRK+bWqtjXEoUrFYXYo/La9

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	java.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4680	powershell.exe
4680	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4680	2220	java.exe	83
PID 2220 wrote to memory of 4680	2220	java.exe	83
PID 4680 wrote to memory of 2860	4680	powershell.exe	85
PID 4680 wrote to memory of 2860	4680	powershell.exe	85
PID 2860 wrote to memory of 1800	2860	csc.exe	88
PID 2860 wrote to memory of 1800	2860	csc.exe	88

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\recaf-2.21.13-J8-jar-with-dependencies.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand JgAgAHsACgBbAEMAbwBuAHMAbwBsAGUAXQA6ADoATwB1AHQAcAB1AHQARQBuAGMAbwBkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgACgBBAGQAZAAtAFQAeQBwAGUAIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAARABpAHIAIAB7AAoAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHMAaABlAGwAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIABwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBIAEcAZQB0AEsAbgBvAHcAbgBGAG8AbABkAGUAcgBQAGEAdABoACgAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBMAFAAUwB0AHIAdQBjAHQAKQBdACAARwB1AGkAZAAgAHIAZgBpAGQALAAgAHUAaQBuAHQAIABkAHcARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGgAVABvAGsAZQBuACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAApADsACgAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAARwBlAHQASwBuAG8AdwBuAEYAbwBsAGQAZQByAFAAYQB0AGgAKABzAHQAcgBpAG4AZwAgAHIAZgBpAGQAKQAgAHsACgAgACAAIAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAA7AAoAIAAgACAAIABpAGYAIAAoAFMASABHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoAG4AZQB3ACAARwB1AGkAZAAoAHIAZgBpAGQAKQAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAHAAcwB6AFAAYQB0AGgAKQAgACEAPQAgADAAKQAgAHIAZQB0AHUAcgBuACAAIgAiADsACgAgACAAIAAgAHMAdAByAGkAbgBnACAAcABhAHQAaAAgAD0AIABNAGEAcgBzAGgAYQBsAC4AUAB0AHIAVABvAFMAdAByAGkAbgBnAFUAbgBpACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAE0AYQByAHMAaABhAGwALgBGAHIAZQBlAEMAbwBUAGEAcwBrAE0AZQBtACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHQAaAA7AAoAIAAgAH0ACgB9AAoAIgBAAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIANQBFADYAQwA4ADUAOABGAC0AMABFADIAMgAtADQANwA2ADAALQA5AEEARgBFAC0ARQBBADMAMwAxADcAQgA2ADcAMQA3ADMAIgApAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIAMwBFAEIANgA4ADUARABCAC0ANgA1AEYAOQAtADQAQwBGADYALQBBADAAMwBBAC0ARQAzAEUARgA2ADUANwAyADkARgAzAEQAIgApAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIARgAxAEIAMwAyADcAOAA1AC0ANgBGAEIAQQAtADQARgBDAEYALQA5AEQANQA1AC0ANwBCADgARQA3AEYAMQA1ADcAMAA5ADEAIgApAAoAfQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nab4pfu4\nab4pfu4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES153.tmp" "c:\Users\Admin\AppData\Local\Temp\nab4pfu4\CSC1CBDC0A678242539919F83AAB7DADF1.TMP"
      4⤵
      PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES153.tmp

Filesize
1KB

MD5
6c9444d421b15d737078eb17f730925a

SHA1
7f8e4f461f2db99456d20342f07face90437738d

SHA256
34295e6ff42b0e755069e24eaca97548a8308b6d7e26c4ca58249ef77cf3d824

SHA512
e383a2194df762221dc0d7d1ed40e54b44fbd59cbc61ff6d973c2c157b28bcec0e98046d0a2f60e2b62a92bc08a25fd629d94e1b6bc525680e51a5820def15ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdyypqjg.1ch.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nab4pfu4\nab4pfu4.dll

Filesize
3KB

MD5
1d92a02e4156b8cbd37b9cae35c807e3

SHA1
1622cf7fb72c976cbfe2eb274019023ea9bde14e

SHA256
f66759721c7c0ddbd8c879d819322322abcd75748a986de9b6d36f2c0c525136

SHA512
6b5f0b2acb3f45133efc07a7e4a2a122b77df11585c31964f21e330028ffa0272f3d93a99f6ab23901bf355f8f026c091bba84c627303eb0ba2b1759e7a2447a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nab4pfu4\CSC1CBDC0A678242539919F83AAB7DADF1.TMP

Filesize
652B

MD5
4e8bfa5ff84444f61902615177069434

SHA1
8c92a4b9cf001162106717504ea2ddb7e970ffc1

SHA256
74fdb2daa80b73c5698bdb7fef5dc2c50cec34a8760c20d92f2ddf9e4e1e8991

SHA512
137bdecc7c441c2ccf98433bff887c3982809b87e1567568ef22d21479f8aa9886823a833ebb1b23e742b764d54dabcbc779d9570de31f81c1176e11a878cf99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nab4pfu4\nab4pfu4.0.cs

Filesize
526B

MD5
19cf785fbc390f5627236a4b664e3467

SHA1
917d102da7222d6a0477f3932c1d9014601ca71c

SHA256
35d145e5758625b5cce58aac031766c6816c0971dd8a0f4240e7a791dbec24b3

SHA512
c069fd68db3b30c18612e21052e94fa48dba7f8f624e513fcb938d79e7722a38cab5c2f2dd5d309f01f14c2565ebfbfc4d0ea6a3a078b0dc685b6bbec77dd649

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nab4pfu4\nab4pfu4.cmdline

Filesize
369B

MD5
59e8bd668ed0ba3e8dca481e4b41d808

SHA1
ae89257abd6c031ea4e33ebfdbfae63b239973e0

SHA256
65e376debc427b85859812ca5662c07a2db3781349950dce7d7f6c26e9fcd96d

SHA512
015b5375de41b864e6bff286a87bc294105361ec39abbf7a09dd37d7bbcd4aa3fd59d6b61fd169165b0d82292a618aeca6d4806b7a861e56a37b49a26d136d3c

Download Submit
memory/2220-74-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/2220-76-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2220-83-0x0000000002B00000-0x0000000003B00000-memory.dmp

Filesize
16.0MB

Download
memory/2220-82-0x0000000002B00000-0x0000000003B00000-memory.dmp

Filesize
16.0MB

Download
memory/2220-81-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/2220-80-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/2220-79-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/2220-78-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/2220-11-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2220-77-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/2220-53-0x0000000002B00000-0x0000000003B00000-memory.dmp

Filesize
16.0MB

Download
memory/2220-60-0x0000000002B00000-0x0000000003B00000-memory.dmp

Filesize
16.0MB

Download
memory/2220-68-0x0000000002B00000-0x0000000003B00000-memory.dmp

Filesize
16.0MB

Download
memory/2220-71-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2220-75-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/2220-4-0x0000000002B00000-0x0000000003B00000-memory.dmp

Filesize
16.0MB

Download
memory/4680-29-0x00007FFE311F0000-0x00007FFE31CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-46-0x00007FFE311F0000-0x00007FFE31CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-16-0x0000018E7B370000-0x0000018E7B3F2000-memory.dmp

Filesize
520KB

Download
memory/4680-22-0x0000018E7B320000-0x0000018E7B342000-memory.dmp

Filesize
136KB

Download
memory/4680-27-0x0000018E7B300000-0x0000018E7B310000-memory.dmp

Filesize
64KB

Download
memory/4680-28-0x0000018E7B7C0000-0x0000018E7B8C2000-memory.dmp

Filesize
1.0MB

Download
memory/4680-31-0x0000018E7B2D0000-0x0000018E7B2E0000-memory.dmp

Filesize
64KB

Download
memory/4680-30-0x0000018E7B2D0000-0x0000018E7B2E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing