4fa8ab3763707bd8347f3a27faec2ac74f902af54b2074855eaf7410f9615874

Resubmissions

30/10/2023, 23:19

231030-3ax1kafe2v 1

30/10/2023, 02:03

231030-cgtnlsac7y 10

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sparkk.jar
Size

1.0MB
MD5

14c60d7c9ed65affcf0565ff94633a39
SHA1

59b86277b79804fdefd7bfd68c63f9f3e44b2ad9
SHA256

4fa8ab3763707bd8347f3a27faec2ac74f902af54b2074855eaf7410f9615874
SHA512

bc4cd36959d714ffd1ca7a1668084117f8c0b053d0fb508f30675feb03730989fa1d63572a7fd2cfc76f99cf8d04329ee0bc8637dc9d1af3c4139400b46dad02
SSDEEP

24576:8BysVM5qDErtZXREL9+9uohDNNNLIPNLI3NLIFNLIm:zqDytZh9uEZIPZI3ZIFZIm

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1964	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1964	2452	java.exe	86
PID 2452 wrote to memory of 1964	2452	java.exe	86

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\sparkk.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
5e142c4c2413a8727e4fec5cda5f8299

SHA1
d4c1be84d5624eb93e82594fbb848484952cc908

SHA256
c2e6b563bc8a61dd9d2c526a397536e048d3e8c4e06ba4035882772d03516f49

SHA512
8247585fbd0a62b3c52ff7d42145f701791bc1f40533a177b23b738670fe8fcba07181f1a0b4180af338938d2130db6712b20e6fe82efc5e2343a0b343e3d504

Download Submit
memory/2452-8-0x00000276C5D00000-0x00000276C6D00000-memory.dmp

Filesize
16.0MB

Download
memory/2452-12-0x00000276C46A0000-0x00000276C46A1000-memory.dmp

Filesize
4KB

Download
memory/2452-20-0x00000276C5D00000-0x00000276C6D00000-memory.dmp

Filesize
16.0MB

Download
memory/2452-19-0x00000276C5F80000-0x00000276C5F90000-memory.dmp

Filesize
64KB

Download
memory/2452-21-0x00000276C5D00000-0x00000276C6D00000-memory.dmp

Filesize
16.0MB

Download