Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2023 14:46
Static task
static1
Behavioral task
behavioral1
Sample
sample.jar
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
sample.jar
Resource
win10v2004-20230831-en
General
-
Target
sample.jar
-
Size
184KB
-
MD5
bedcdaf50807711f4d66faf4e5a7aa21
-
SHA1
d54da78d710d53a4d42aa8e604b1dd994febaad0
-
SHA256
c65d3ff20b9a591b41d0b575e70167ebd8963e003f619652660d0fa7adf84c9d
-
SHA512
625b4dd91da35daa8f5ae0148b7f004856ea5cad2208ec2a12bb7fbd0aee7e78725b88e52bd2ad37999687322daa813b4e35657a8173bf2e46390cb26a70f0b4
-
SSDEEP
3072:PAChkMq6P6y4UqmzvrMsTcF2Ws5PhjRrszwgqFk0hF5gE2Y8w:PACu6H4UqqrMvF25PhjMb9GF5gED8w
Malware Config
Signatures
-
JAR file contains resources related to AdWind 2 IoCs
This JAR file potentially contains loader stubs used by the AdWind RAT.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd80204470572918719250exeadmis6.jar family_adwind_stub C:\Users\Admin\AppData\Roaming\javasupdadtes\javasupdadtew.jar family_adwind_stub -
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 3752 attrib.exe 2412 attrib.exe 4656 attrib.exe 2488 attrib.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sedwsds = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\xps\\swsrviaswa.jar\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sedwsds = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\xps\\swsrviaswa.jar\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javasupdadtesw = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\javasupdadtes\\javasupdadtew.jar\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javasupdadtesw = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\javasupdadtes\\javasupdadtew.jar\"" reg.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
java.exeattrib.exejava.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\xps\Desktop.ini java.exe File opened for modification C:\Users\Admin\AppData\Roaming\xps\Desktop.ini attrib.exe File created C:\Users\Admin\AppData\Roaming\javasupdadtes\Desktop.ini java.exe File opened for modification C:\Users\Admin\AppData\Roaming\javasupdadtes\Desktop.ini attrib.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe -
Modifies registry key 1 TTPs 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exepid process 4488 reg.exe 3760 reg.exe 1636 reg.exe 2908 reg.exe 1444 reg.exe 3248 reg.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
java.exejava.exejavaw.exepid process 4632 java.exe 3780 java.exe 4760 javaw.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
java.exejava.exejava.exejavaw.exedescription pid process target process PID 460 wrote to memory of 3780 460 java.exe java.exe PID 460 wrote to memory of 3780 460 java.exe java.exe PID 460 wrote to memory of 4632 460 java.exe java.exe PID 460 wrote to memory of 4632 460 java.exe java.exe PID 4632 wrote to memory of 2908 4632 java.exe reg.exe PID 4632 wrote to memory of 2908 4632 java.exe reg.exe PID 4632 wrote to memory of 1444 4632 java.exe reg.exe PID 4632 wrote to memory of 1444 4632 java.exe reg.exe PID 4632 wrote to memory of 3752 4632 java.exe attrib.exe PID 4632 wrote to memory of 3752 4632 java.exe attrib.exe PID 4632 wrote to memory of 2412 4632 java.exe attrib.exe PID 4632 wrote to memory of 2412 4632 java.exe attrib.exe PID 4632 wrote to memory of 4176 4632 java.exe javaw.exe PID 4632 wrote to memory of 4176 4632 java.exe javaw.exe PID 3780 wrote to memory of 3248 3780 java.exe reg.exe PID 3780 wrote to memory of 3248 3780 java.exe reg.exe PID 3780 wrote to memory of 4488 3780 java.exe reg.exe PID 3780 wrote to memory of 4488 3780 java.exe reg.exe PID 3780 wrote to memory of 4656 3780 java.exe attrib.exe PID 3780 wrote to memory of 4656 3780 java.exe attrib.exe PID 3780 wrote to memory of 2488 3780 java.exe attrib.exe PID 3780 wrote to memory of 2488 3780 java.exe attrib.exe PID 3780 wrote to memory of 4760 3780 java.exe javaw.exe PID 3780 wrote to memory of 4760 3780 java.exe javaw.exe PID 4760 wrote to memory of 3760 4760 javaw.exe reg.exe PID 4760 wrote to memory of 3760 4760 javaw.exe reg.exe PID 4760 wrote to memory of 1636 4760 javaw.exe reg.exe PID 4760 wrote to memory of 1636 4760 javaw.exe reg.exe PID 4760 wrote to memory of 4512 4760 javaw.exe attrib.exe PID 4760 wrote to memory of 4512 4760 javaw.exe attrib.exe -
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2488 attrib.exe 4512 attrib.exe 3752 attrib.exe 2412 attrib.exe 4656 attrib.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\sample.jar1⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd80204470572918719250exeadmis6.jar2⤵
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v javasupdadtesw /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\javasupdadtes\javasupdadtew.jar\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:3248 -
C:\Windows\SYSTEM32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v javasupdadtesw /f3⤵
- Modifies registry key
PID:4488 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\javasupdadtes\*.*"3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:4656 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\javasupdadtes"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2488 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\javasupdadtes\javasupdadtew.jar"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v javasupdadtesw /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\javasupdadtes\javasupdadtew.jar\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:3760 -
C:\Windows\SYSTEM32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v javasupdadtesw /f4⤵
- Modifies registry key
PID:1636 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\.Plugins34⤵
- Views/modifies file attributes
PID:4512 -
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd4277562502419898061dede2.jar2⤵
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SYSTEM32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sedwsds /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2908 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v sedwsds /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1444 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\xps\*.*"3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:3752 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\xps"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2412 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar"3⤵
- Drops file in Program Files directory
PID:4176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD54c2dc134598979669eafa82f7a7af7de
SHA1a02199bac803887066316e20f8b39007e81766aa
SHA25658f3d7dbe8dcfe717eb81f1d496c4a2c3c4d4b44b0770047d2aeacf514821e62
SHA512e60cac58f966148cf70f938ab1b55276e5f85fce3306d480f4ae2f618ba91db3138e9913d074a9d9d92337db735ad9ee2ebd2007b40e25327308fd5114e4dae4
-
Filesize
50B
MD50159d8bff2a2e7bc3c14a1311671b7a5
SHA1d5d2024b34b4e7a086034d116c4ae6aa34267ca5
SHA2560143e9d784c90b082298e74cb0b5d34b9139a736466811a9d8115311b2048821
SHA512c6947f840ba01b356489a2cd95183f087e8d40d775f0e5081ab626be51d1cd6246f10a71c481f23556aeb45c2f9fc6cdc3d8765cce6f30ad0fc2bf273e0ccc5c
-
Filesize
50B
MD5bcdc2925291c5c868ace4644e258b61c
SHA10b19ea30a71e2a1356711e8cf67f658f485460d9
SHA2562c1eb18cf9f37f0d50e5a7c8b8c2a1ab96af1bccc07e0208904a43ff8d282bf9
SHA512d970c0d13b4dc7387cffc449f3e6d71bae5b3f54d4e9ea3262738fd01c8bf58546e74ca328d23009c66611e8d1000cd201aea34441391d94a61a129c4e77c2bf
-
Filesize
50B
MD5436c8131b28c734ebc71a3865b92cc0a
SHA14141cb27b16c1e664f59cd7c68272fa5ae299b3e
SHA2562588a4ec5b032295abe81fce66eae22719d8c7f3adeb9153fcfb0357c17a03fa
SHA512e59985ab08e833533e566911f06ce6cf4c7c46c3de1b7613fc3a65029277a5bad1f0048ecf7c0ddb57fa7a207fbdffbb166a279b125a90176bb765daeed7296a
-
Filesize
59KB
MD5c2c4d5760b4acd6722c6052d52fd21c0
SHA14cf6240fae1338c7eb0cf1534e7e820f57b3b9e7
SHA256a7ee7cfbd2461230da7eb919f9eb58f2d3fa54a4892307cea0f339189ebede28
SHA5128f34b983664635c5ec7f0af4b47a1e90ea3abac64c5f5bf62d215cef2d3c32af5438ce0576c805bc3bd1978f6cef66cd08ef80a87c4ce4b269d7a27e42bd0d1e
-
Filesize
101KB
MD53d95e909a81dd81283604f6fe0b909b0
SHA1b6c4144f5be00ef49c47b56ff7a62b5809f8746b
SHA25621a4fabdbabfbd936aa14762f2f139d3049e46812efbe3d1febd7dca1d599a54
SHA51268c0a4ac0673392dfe53ae276aceb6de1e71613c74817e3eac760ecac185f6997d1346696ad5982502095e40f9dff0bbe60d36fd6f849a6211a5d061b9de80aa
-
Filesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
Filesize
101KB
MD53d95e909a81dd81283604f6fe0b909b0
SHA1b6c4144f5be00ef49c47b56ff7a62b5809f8746b
SHA25621a4fabdbabfbd936aa14762f2f139d3049e46812efbe3d1febd7dca1d599a54
SHA51268c0a4ac0673392dfe53ae276aceb6de1e71613c74817e3eac760ecac185f6997d1346696ad5982502095e40f9dff0bbe60d36fd6f849a6211a5d061b9de80aa
-
Filesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
Filesize
59KB
MD5c2c4d5760b4acd6722c6052d52fd21c0
SHA14cf6240fae1338c7eb0cf1534e7e820f57b3b9e7
SHA256a7ee7cfbd2461230da7eb919f9eb58f2d3fa54a4892307cea0f339189ebede28
SHA5128f34b983664635c5ec7f0af4b47a1e90ea3abac64c5f5bf62d215cef2d3c32af5438ce0576c805bc3bd1978f6cef66cd08ef80a87c4ce4b269d7a27e42bd0d1e