kinsing | 095dab73e2b180f247c4f3b92d4d5e6da806c362bc64ea38d7d4a25ee768cc18

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Badlion Client 4.0.1/Badlion Client.app/Contents/libs/lz4-java-1.7.1.jar
Size

634KB
MD5

d56d86823662a663a4d614dd5e117eff
SHA1

c4d931ef8ad2c9c35d65b231a33e61428472d0da
SHA256

f1167a45d4b8002053670ef6991ca66d1bab9dcc03e4ef00183674d2f3fb9cac
SHA512

ff48daeca92c5a7657aa9c7fe41c5ae75a5fa0aad05c655bacb64a40acfe93ffd3d40bef16544614ce8a38db3e1df177023101773f6f7c1d32031413270e42d2
SSDEEP

12288:amEvKTPZYCwZmp59WR2/nfxHYub6OULsunu8wrqeWm7ahEqw0CwWF40vSumvh:dPZYCwUqcfF/6OULsuwrPd7ahEEWvvc

Score

10^/10

kinsing discovery loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

412 icacls.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 2976 wrote to memory of 412 2976 java.exe icacls.exe
PID 2976 wrote to memory of 412 2976 java.exe icacls.exe

pid	process
412	icacls.exe

description	pid	process	target process
PID 2976 wrote to memory of 412	2976	java.exe	icacls.exe
PID 2976 wrote to memory of 412	2976	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Badlion Client 4.0.1\Badlion Client.app\Contents\libs\lz4-java-1.7.1.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
77ec79790eeb724c663658afe377b1f0

SHA1
5b1f21f8db399fcf31cd3b4caaeb1b0b26ccef86

SHA256
527358421588d7fec553b2308eec846d3fa05d04e9dc3ef1a62def763fc0ce13

SHA512
090e2f4ce0f0038a7b098b20e12c474d4da7bbd65167ed65fbe2e38e744ceda8e09186e007a413da49d80fae89e5f96d3e4f0fb56ea0785aa823d76494d86434

Download Submit
memory/2976-4-0x000001F715470000-0x000001F716470000-memory.dmp

Filesize
16.0MB

Download
memory/2976-11-0x000001F713BB0000-0x000001F713BB1000-memory.dmp

Filesize
4KB

Download
memory/2976-13-0x000001F715470000-0x000001F716470000-memory.dmp

Filesize
16.0MB

Download