e4310114f26e15fa07e71124920ed389f53e21ee57aad649e912ea15ef4e5ebf

General

Target

1151de818776c906cf7e06cc24c91f5f.jar
Size

128KB
MD5

1151de818776c906cf7e06cc24c91f5f
SHA1

6cd199b2909eea9731de0dfcaa73a1370d7bfdd7
SHA256

e4310114f26e15fa07e71124920ed389f53e21ee57aad649e912ea15ef4e5ebf
SHA512

d452b51448d38337141a8f6b6d7f6d2941042493baa8e30e91f187f6d4b22e7cc6da14543e7fa141ae1a4dadb5bcbe0f70d0912eb0d63195d1c72cbb493b1e59
SSDEEP

3072:tlf2sc96eDRPXOIGdZ5XNKgfTuoTnA8pUfJ9Ifs20mBtHux/:/WdvGdNVLuoTnRpOUkEBtHw

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1948	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 1948	4420	java.exe	90
PID 4420 wrote to memory of 1948	4420	java.exe	90
PID 4420 wrote to memory of 2268	4420	java.exe	92
PID 4420 wrote to memory of 2268	4420	java.exe	92
PID 2268 wrote to memory of 2204	2268	wscript.exe	93
PID 2268 wrote to memory of 2204	2268	wscript.exe	93

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1151de818776c906cf7e06cc24c91f5f.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1948
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\[output].js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ruYArSxXtj.js"
    3⤵
    PID:2204
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\eebiyguog.txt"
    3⤵
    PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e1a38d118b349221d8cde35d1b9ee63e

SHA1
d3eeb1499e73088ed1ca5d47a1ef3c7736671933

SHA256
072443cf33c7ac2b9fed574d3478ed08182df765bf1e1ebc8e1731f54adfcc21

SHA512
6fbb4be5c06d06ea9cfe3b3d79a119eef12736eef4ae0b59bd07fae7c60c7ea7b9a30ac6958ed2e185c5710df6768e7385afa916d990319403524e7dd4897567

Download Submit
C:\Users\Admin\AppData\Roaming\eebiyguog.txt

Filesize
92KB

MD5
ae4f924072e8dd90687607e7becdde2e

SHA1
225d2c7cf6506bf59d865fe3dba1b6c1736d492b

SHA256
915de15ccb287c58270e6bc23523b0cde9ce077dbc0fef517faca1a1a0313286

SHA512
14da1de2af981af4390e3bb95e29f968f0ef67af011202ce9f598e9f553f822e37013301c965f871ad2660cc451fb7c1ad619bf9533405e7424ad88f199803f0

Download Submit
C:\Users\Admin\AppData\Roaming\ruYArSxXtj.js

Filesize
9KB

MD5
ca4e11b0bbf70a587e0d653bfceded8c

SHA1
c70eeac3273988740e937e21e11948b003295582

SHA256
d0a3dc9322f9f6f9028f437d45757560de849fd0a0a6dcf8c92beed012b61e0d

SHA512
291bbeb73d3ecacfe5c50aa9fd59f0542eea4950a82d0def79318017d5a0c9bcd3792a49c17309414c7678235ffeae284f29643e2be4b4a368592c0f5f64bdf0

Download Submit
C:\Users\Admin\[output].js

Filesize
201KB

MD5
235c68f406aa41b7e1a87e35d83add4c

SHA1
dadb5bd81a34b437863e3d744ea0a06c48533b39

SHA256
9285fa6ba7f6cb35a4371d51a11f7c5c7aa582cb1deec294aff20ec5060b0a2d

SHA512
158661fdbd3c48fb3f3dba455833553e0c3c1c64d4007262515a689f755f5b752b34f7ead147834852445f60328e3d66b0ea44bfa79372f1667ea14297fa7d1a

Download Submit
memory/1200-77-0x0000024CC48F0000-0x0000024CC4900000-memory.dmp

Filesize
64KB

Download
memory/1200-80-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-27-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-34-0x0000024CC2D90000-0x0000024CC2D91000-memory.dmp

Filesize
4KB

Download
memory/1200-41-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-52-0x0000024CC2D90000-0x0000024CC2D91000-memory.dmp

Filesize
4KB

Download
memory/1200-55-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-69-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-76-0x0000024CC4880000-0x0000024CC4890000-memory.dmp

Filesize
64KB

Download
memory/1200-75-0x0000024CC4870000-0x0000024CC4880000-memory.dmp

Filesize
64KB

Download
memory/1200-89-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-73-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-82-0x0000024CC48E0000-0x0000024CC48F0000-memory.dmp

Filesize
64KB

Download
memory/1200-83-0x0000024CC4910000-0x0000024CC4920000-memory.dmp

Filesize
64KB

Download
memory/1200-84-0x0000024CC4920000-0x0000024CC4930000-memory.dmp

Filesize
64KB

Download
memory/1200-87-0x0000024CC4950000-0x0000024CC4960000-memory.dmp

Filesize
64KB

Download
memory/1200-86-0x0000024CC4940000-0x0000024CC4950000-memory.dmp

Filesize
64KB

Download
memory/1200-88-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-85-0x0000024CC45F0000-0x0000024CC55F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-81-0x0000024CC48D0000-0x0000024CC48E0000-memory.dmp

Filesize
64KB

Download
memory/1200-79-0x0000024CC4970000-0x0000024CC4980000-memory.dmp

Filesize
64KB

Download
memory/1200-78-0x0000024CC4930000-0x0000024CC4940000-memory.dmp

Filesize
64KB

Download
memory/4420-14-0x0000023DC4B60000-0x0000023DC4B61000-memory.dmp

Filesize
4KB

Download
memory/4420-4-0x0000023DC63D0000-0x0000023DC73D0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing