Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
06-09-2023 14:46
Static task
static1
Behavioral task
behavioral1
Sample
sample.jar
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
sample.jar
Resource
win10v2004-20230831-en
General
-
Target
sample.jar
-
Size
184KB
-
MD5
bedcdaf50807711f4d66faf4e5a7aa21
-
SHA1
d54da78d710d53a4d42aa8e604b1dd994febaad0
-
SHA256
c65d3ff20b9a591b41d0b575e70167ebd8963e003f619652660d0fa7adf84c9d
-
SHA512
625b4dd91da35daa8f5ae0148b7f004856ea5cad2208ec2a12bb7fbd0aee7e78725b88e52bd2ad37999687322daa813b4e35657a8173bf2e46390cb26a70f0b4
-
SSDEEP
3072:PAChkMq6P6y4UqmzvrMsTcF2Ws5PhjRrszwgqFk0hF5gE2Y8w:PACu6H4UqqrMvF25PhjMb9GF5gED8w
Malware Config
Signatures
-
JAR file contains resources related to AdWind 1 IoCs
This JAR file potentially contains loader stubs used by the AdWind RAT.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd44835801984083158950exeadmis6.jar family_adwind_stub -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1292 attrib.exe 2116 attrib.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\sedwsds = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\xps\\swsrviaswa.jar\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sedwsds = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\xps\\swsrviaswa.jar\"" reg.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
java.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\xps\Desktop.ini java.exe File opened for modification C:\Users\Admin\AppData\Roaming\xps\Desktop.ini attrib.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 2504 java.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
java.exejava.exedescription pid process target process PID 2408 wrote to memory of 2616 2408 java.exe java.exe PID 2408 wrote to memory of 2616 2408 java.exe java.exe PID 2408 wrote to memory of 2616 2408 java.exe java.exe PID 2408 wrote to memory of 2504 2408 java.exe java.exe PID 2408 wrote to memory of 2504 2408 java.exe java.exe PID 2408 wrote to memory of 2504 2408 java.exe java.exe PID 2504 wrote to memory of 2824 2504 java.exe reg.exe PID 2504 wrote to memory of 2824 2504 java.exe reg.exe PID 2504 wrote to memory of 2824 2504 java.exe reg.exe PID 2504 wrote to memory of 1144 2504 java.exe reg.exe PID 2504 wrote to memory of 1144 2504 java.exe reg.exe PID 2504 wrote to memory of 1144 2504 java.exe reg.exe PID 2504 wrote to memory of 1292 2504 java.exe attrib.exe PID 2504 wrote to memory of 1292 2504 java.exe attrib.exe PID 2504 wrote to memory of 1292 2504 java.exe attrib.exe PID 2504 wrote to memory of 2116 2504 java.exe attrib.exe PID 2504 wrote to memory of 2116 2504 java.exe attrib.exe PID 2504 wrote to memory of 2116 2504 java.exe attrib.exe PID 2504 wrote to memory of 1088 2504 java.exe javaw.exe PID 2504 wrote to memory of 1088 2504 java.exe javaw.exe PID 2504 wrote to memory of 1088 2504 java.exe javaw.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1292 attrib.exe 2116 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\sample.jar1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd44835801984083158950exeadmis6.jar2⤵PID:2616
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd28630915366792669791dede2.jar2⤵
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sedwsds /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2824 -
C:\Windows\system32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v sedwsds /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1144 -
C:\Windows\system32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\xps\*.*"3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1292 -
C:\Windows\system32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\xps"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2116 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar"3⤵PID:1088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5c2c4d5760b4acd6722c6052d52fd21c0
SHA14cf6240fae1338c7eb0cf1534e7e820f57b3b9e7
SHA256a7ee7cfbd2461230da7eb919f9eb58f2d3fa54a4892307cea0f339189ebede28
SHA5128f34b983664635c5ec7f0af4b47a1e90ea3abac64c5f5bf62d215cef2d3c32af5438ce0576c805bc3bd1978f6cef66cd08ef80a87c4ce4b269d7a27e42bd0d1e
-
Filesize
101KB
MD53d95e909a81dd81283604f6fe0b909b0
SHA1b6c4144f5be00ef49c47b56ff7a62b5809f8746b
SHA25621a4fabdbabfbd936aa14762f2f139d3049e46812efbe3d1febd7dca1d599a54
SHA51268c0a4ac0673392dfe53ae276aceb6de1e71613c74817e3eac760ecac185f6997d1346696ad5982502095e40f9dff0bbe60d36fd6f849a6211a5d061b9de80aa
-
Filesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
Filesize
59KB
MD5c2c4d5760b4acd6722c6052d52fd21c0
SHA14cf6240fae1338c7eb0cf1534e7e820f57b3b9e7
SHA256a7ee7cfbd2461230da7eb919f9eb58f2d3fa54a4892307cea0f339189ebede28
SHA5128f34b983664635c5ec7f0af4b47a1e90ea3abac64c5f5bf62d215cef2d3c32af5438ce0576c805bc3bd1978f6cef66cd08ef80a87c4ce4b269d7a27e42bd0d1e