Overview

overview

7

Static

static

1

EzExploit.rar

windows10-2004-x64

3

EzExploit/config.yml

windows10-2004-x64

3

EzExploit/...rd.jar

windows10-2004-x64

7

EzExploit/...rd.bat

windows10-2004-x64

7

EzExploit/modules.yml

windows10-2004-x64

3

EzExploit/...rt.jar

windows10-2004-x64

7

EzExploit/...nd.jar

windows10-2004-x64

7

EzExploit/...st.jar

windows10-2004-x64

7

EzExploit/...nd.jar

windows10-2004-x64

7

EzExploit/...er.jar

windows10-2004-x64

7

EzExploit/...ml.jar

windows10-2004-x64

7

EzExploit/plugin.yml

windows10-2004-x64

3

EzExploit/...ix.jar

windows10-2004-x64

7

EzExploit/...ro.jar

windows10-2004-x64

1

bungee.yml

windows10-2004-x64

3

jutting/Bu....class

windows10-2004-x64

3

jutting/co....class

windows10-2004-x64

3

jutting/co....class

windows10-2004-x64

3

jutting/co....class

windows10-2004-x64

3

jutting/co....class

windows10-2004-x64

3

jutting/co....class

windows10-2004-x64

3

jutting/li....class

windows10-2004-x64

3

jutting/li....class

windows10-2004-x64

3

jutting/li....class

windows10-2004-x64

3

org/json/s....class

windows10-2004-x64

3

org/json/s....class

windows10-2004-x64

3

org/json/s....class

windows10-2004-x64

3

org/json/s....class

windows10-2004-x64

3

org/json/s....class

windows10-2004-x64

3

org/json/s....class

windows10-2004-x64

3

org/json/s....class

windows10-2004-x64

3

org/json/s....class

windows10-2004-x64

3

Resubmissions

02/11/2023, 15:01 UTC

231102-sdwxkafe89 7

02/11/2023, 14:58 UTC

231102-scexnade9x 7

Analysis

  • max time kernel
    159s
  • max time network
    270s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2023, 15:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EzExploit/modules/reconnect_yaml.jar

  • Size

    6KB

  • MD5

    d1fde0d321918adc22002d9072ef23ca

  • SHA1

    efd66687ec71fa74dd1e6bf438615214abb5fee9

  • SHA256

    23147bfa63e2ac2add7c57480ab579f6a3d3b6091d480e712b610b1b9b79a4e4

  • SHA512

    ba876f61d6484db3d441bd7004d03a5d6afa97085fd46d8684d6ba6648af083a4d6300a77f8e16dff754c63158f7be8ee9de81443ae06cb1259c3aed611fca85

  • SSDEEP

    96:f6HZWp6AqfLNhLLO2cE/BZtit/violx5gSvnG0/KAuKNzLYsyusW4s7NqfyaDW:f650uzNhs4titiolB/GXALWsJsVM8PDW

Score
7/10
discovery

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\EzExploit\modules\reconnect_yaml.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:4268

Network

  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    155.245.36.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.245.36.23.in-addr.arpa
    IN PTR
    Response
    155.245.36.23.in-addr.arpa
    IN PTR
    a23-36-245-155deploystaticakamaitechnologiescom
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    218.240.110.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    218.240.110.104.in-addr.arpa
    IN PTR
    Response
    218.240.110.104.in-addr.arpa
    IN PTR
    a104-110-240-218deploystaticakamaitechnologiescom
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301512_1AX3RCN5D9AJKN0AW&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301512_1AX3RCN5D9AJKN0AW&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 234680
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 509D44342DE943CC8E132AA17F8B5608 Ref B: AMS04EDGE2710 Ref C: 2023-11-02T15:02:52Z
    date: Thu, 02 Nov 2023 15:02:52 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301275_1820437F4BE6O8J6E&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301275_1820437F4BE6O8J6E&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 447383
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3CDB540A8ED74A73A2128BFEB08F87A4 Ref B: AMS04EDGE2710 Ref C: 2023-11-02T15:02:52Z
    date: Thu, 02 Nov 2023 15:02:52 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 582460
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 743500CD0390453DBEF028BFDC386050 Ref B: AMS04EDGE2710 Ref C: 2023-11-02T15:02:52Z
    date: Thu, 02 Nov 2023 15:02:52 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301684_1450KFM0D4YJ64Y71&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301684_1450KFM0D4YJ64Y71&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 194603
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 44315CCAE45A4FEE8174786DA06C1932 Ref B: AMS04EDGE2710 Ref C: 2023-11-02T15:02:52Z
    date: Thu, 02 Nov 2023 15:02:52 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301079_1C0V2OISTJJIJUHWS&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301079_1C0V2OISTJJIJUHWS&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 440440
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 04B06E3C7B824C18A045C2A137B2A9B5 Ref B: AMS04EDGE2710 Ref C: 2023-11-02T15:02:52Z
    date: Thu, 02 Nov 2023 15:02:52 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 541836
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 78132D5A54EC4A94BE623FD198C66E99 Ref B: AMS04EDGE2710 Ref C: 2023-11-02T15:02:52Z
    date: Thu, 02 Nov 2023 15:02:52 GMT
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    63.141.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    63.141.182.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    91.1kB
     2.5MB
     1837
    1833

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301512_1AX3RCN5D9AJKN0AW&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301275_1820437F4BE6O8J6E&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301684_1450KFM0D4YJ64Y71&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301079_1C0V2OISTJJIJUHWS&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200
  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    155.245.36.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    155.245.36.23.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    58.99.105.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    58.99.105.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    218.240.110.104.in-addr.arpa
    dns
    74 B
     141 B
     1
    1

    DNS Request

    218.240.110.104.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     173 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     173 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    63.141.182.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    63.141.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    0f13b41a35049645eb395de3cacdff79

    SHA1

    995586848dd801ebcb4f179d37e22dbdeffa7748

    SHA256

    63586727f70a421bd51af33a0a16bef138f22c4b7615c59d5195f95dda47c6e1

    SHA512

    0080ced2d151c7e5f01bbb269f46207afaac4aa486e32111c75519f84348eeb2d12a2cbe0a959d9e7ebdf1ab3e1d7d9aadb2af4b91048db97daab3cb67f2c252

    Download Submit

  • memory/2924-4-0x000001F9B2D70000-0x000001F9B3D70000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2924-12-0x000001F9B1510000-0x000001F9B1511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2924-13-0x000001F9B2D70000-0x000001F9B3D70000-memory.dmp

    Filesize

    16.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.