Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

681105abdc...f0.jar

windows7-x64

10

681105abdc...f0.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    681105abdc5d0c0343775b60daf355f0.jar

  • Size

    628KB

  • MD5

    681105abdc5d0c0343775b60daf355f0

  • SHA1

    19df3c8b66be211e6cb1cc01cf7c7eff5064fc8b

  • SHA256

    9de696d1d6fb1228d3697b7be4e628d6489c4bc2dcfacc54b1fb282fe4fbebe9

  • SHA512

    649fe254c397cace915c1348da5e8a6f35621a9a29ce720261e824fb91efe4d5b6276edb54ecdf9e606f2046c68b0ef5c5a1ed1a405585591f5856c9fe32893b

  • SSDEEP

    12288:p9JFYoYph7hbhUItEv1GUSSoPwokLOqf5SEmkkjB0bCSoZiZ3znQBu:p97YoYt7oSjYOKSEUBwoZiZ3zQY

Score
10/10
adwindvjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 12 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\681105abdc5d0c0343775b60daf355f0.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:1660
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\_output.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\UTKfCExmNp.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        PID:2296
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\oerohpmjgw.txt"
        3⤵
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Program Files\Java\jre-1.8\bin\java.exe
          "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.181915407751703231708313605024771159.class
          4⤵
          • Drops file in Program Files directory
          PID:816
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7983307309297210335.vbs
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\system32\cscript.exe
            cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7983307309297210335.vbs
            5⤵
              PID:776
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1210419822849597510.vbs
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4444
            • C:\Windows\system32\cscript.exe
              cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1210419822849597510.vbs
              5⤵
                PID:3608
            • C:\Windows\SYSTEM32\xcopy.exe
              xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
              4⤵
                PID:452
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe
                4⤵
                  PID:2856
                • C:\Windows\SYSTEM32\taskkill.exe
                  taskkill /IM UserAccountControlSettings.exe /T /F
                  4⤵
                  • Kills process with taskkill
                  PID:3612
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\FpLeALCXQW3175811571200176964.reg
                  4⤵
                    PID:2544
                    • C:\Windows\regedit.exe
                      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\FpLeALCXQW3175811571200176964.reg
                      5⤵
                      • Runs .reg file with regedit
                      PID:4284
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM ProcessHacker.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:392
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM procexp.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:2644
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM procexp.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:1176
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM wireshark.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:4960
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM tshark.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:4620
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM text2pcap.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:3596
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM rawshark.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:3872
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM mergecap.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:3512
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM editcap.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:4032
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM dumpcap.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:4900
                  • C:\Windows\SYSTEM32\taskkill.exe
                    taskkill /IM capinfos.exe /T /F
                    4⤵
                    • Kills process with taskkill
                    PID:3408

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
              Filesize

              46B

              MD5

              a32013431db263b2ce5ccf17b71f1bdb

              SHA1

              8b951b1ebb677598942361258ce387c058437de5

              SHA256

              65bb7276a65338fa6d69e2b83536480e58f61ced5a34c9eb02295daedec8ac1a

              SHA512

              37f0befd704b66f61e9499dccd7115728cf95778f05f205cc09a82f1b79352acbdc86599f33e4b13ad5c01da5e577c107313d6588ed8493c62c50290917d71fb

              Download Submit

            • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
              Filesize

              46B

              MD5

              31aaa16fc07dfd012b308e6370e5c0ad

              SHA1

              17b4efc228bdf27c31b48cede6c3b6636b79336a

              SHA256

              4413c4f50249600823ecf6d65c85b4a9f1e31f5198116fe7658eea6a02d08925

              SHA512

              d3087277964e52e951a24a7682a3f39e1242d69b63dfb6d62c6b60fc1fa2ce24f38ef19358cf46511422b9cad40e07fe373fa9f1f9e2f45919b743099daef12a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\FpLeALCXQW3175811571200176964.reg
              Filesize

              26KB

              MD5

              675937a27946a24657ba8a156bb04b82

              SHA1

              0636486ae91adb8f9ce433d8633b9560b7753361

              SHA256

              d62d6ba92ee3bd5f9b603d0225dd81d2b9e7a561c4f30955866f52c8510ef1b0

              SHA512

              28fb85560ad2a4f68e30d2989fba946c65708ecf57ac2a1ec815080084973869a8024a2dc41d4bb00cfeebe40d321e4cc1ae286ddc4bb92a0b12188771378647

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Retrive1210419822849597510.vbs
              Filesize

              281B

              MD5

              a32c109297ed1ca155598cd295c26611

              SHA1

              dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

              SHA256

              45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

              SHA512

              70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Retrive7983307309297210335.vbs
              Filesize

              276B

              MD5

              3bdfd33017806b85949b6faa7d4b98e4

              SHA1

              f92844fee69ef98db6e68931adfaa9a0a0f8ce66

              SHA256

              9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

              SHA512

              ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\_0.181915407751703231708313605024771159.class
              Filesize

              241KB

              MD5

              781fb531354d6f291f1ccab48da6d39f

              SHA1

              9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

              SHA256

              97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

              SHA512

              3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll
              Filesize

              558KB

              MD5

              bf78c15068d6671693dfcdfa5770d705

              SHA1

              4418c03c3161706a4349dfe3f97278e7a5d8962a

              SHA256

              a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

              SHA512

              5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll
              Filesize

              95KB

              MD5

              7415c1cc63a0c46983e2a32581daefee

              SHA1

              5f8534d79c84ac45ad09b5a702c8c5c288eae240

              SHA256

              475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

              SHA512

              3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll
              Filesize

              36KB

              MD5

              fcda37abd3d9e9d8170cd1cd15bf9d3f

              SHA1

              b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

              SHA256

              0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

              SHA512

              de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties
              Filesize

              3KB

              MD5

              880baacb176553deab39edbe4b74380d

              SHA1

              37a57aad121c14c25e149206179728fa62203bf0

              SHA256

              ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620

              SHA512

              3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
              Filesize

              153B

              MD5

              1e9d8f133a442da6b0c74d49bc84a341

              SHA1

              259edc45b4569427e8319895a444f4295d54348f

              SHA256

              1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

              SHA512

              63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

              Download Submit

            • C:\Users\Admin\AppData\Roaming\UTKfCExmNp.js
              Filesize

              9KB

              MD5

              ad0c7ddce8b698fe384a4fe713eee19f

              SHA1

              88f09dc796a1a1efccd3aff70f814df4f8e17a12

              SHA256

              d0114eaf2ec37c2b7d65d87c8a8afcc536470d3a03c3ce3b09ad662e5ae969ef

              SHA512

              9476eff03863804fba347947a2b41e12f60ced3001b6892ea73361d50c660613754be463b850bbe7261b663d8fff4f4df4245225b78f7189c141bce64ebd8847

              Download Submit

            • C:\Users\Admin\AppData\Roaming\oerohpmjgw.txt
              Filesize

              479KB

              MD5

              2bc77cbaca6f8ac04a0e4d698cf5133a

              SHA1

              34252120652ba3a20588aa557337538d21e5ed88

              SHA256

              a87af64dfea31dd2e08ae33b9a595b37ed4fa1511f195caa498ee9d51199528c

              SHA512

              fc14834e588ac87ea762a181ac12d1a59ca0fc60edb20ac1323493543760b641a6d9951c1bc3e04c66cf3692a284b793eff2cf9d8ab4050fb58d543780c24563

              Download Submit

            • C:\Users\Admin\_output.js
              Filesize

              914KB

              MD5

              54d7a9612b5b6ae8d92d1dee6afc77ba

              SHA1

              566c13b7d4499a7d74e627ce818e10a65d9e1f47

              SHA256

              07b0274fcfd6bba6f5056eff77692987aeea03ff2fe978a5b8c097e842df5c41

              SHA512

              539491dc967fd97292d7f945d02e0c439566a8e805da0da3e31bef2313c8b20895828f7fa11a9801e5f6d638a565e45fe5fd1fbf3b579c6e27b8b31a76c3bece

              Download Submit

            • memory/816-53-0x000002738E8B0000-0x000002738E8B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/816-63-0x000002738E8B0000-0x000002738E8B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/816-46-0x00000273900F0000-0x00000273910F0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-95-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-997-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-85-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-1020-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-94-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-81-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-76-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-72-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-67-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-43-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-37-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-32-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-1019-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-82-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-996-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-999-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-1002-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-1006-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-1007-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-1011-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-1012-0x000001FED3E80000-0x000001FED3E81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-1016-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3960-1018-0x000001FED3EA0000-0x000001FED4EA0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4348-13-0x0000024C522B0000-0x0000024C522B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4348-990-0x0000024C522D0000-0x0000024C532D0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4348-4-0x0000024C522D0000-0x0000024C532D0000-memory.dmp

              Filesize

              16.0MB

              Download