kinsing | 095dab73e2b180f247c4f3b92d4d5e6da806c362bc64ea38d7d4a25ee768cc18

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Badlion Client 4.0.1/Badlion Client.app/Contents/libs/optifineinstallwrapper.jar
Size

3KB
MD5

8967319339fd7ff2a67b3a9eab3e4b93
SHA1

03e69508f50bffba71390c367fbc5e8c00d07335
SHA256

f4c5909042743c4a7206f52ae352fbfcad807185a985884314044b236ccb24c0
SHA512

e376022ce07135b77d46da898c27bf49239332e88410b4a20362e9f4ada0fb2a02b7cdbd00bfc0f11d3228ce56e77cd165b77baf41c21790dbb52ccf771555a1

Score

10^/10

kinsing discovery loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4988 icacls.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 4024 wrote to memory of 4988 4024 java.exe icacls.exe
PID 4024 wrote to memory of 4988 4024 java.exe icacls.exe

pid	process
4988	icacls.exe

description	pid	process	target process
PID 4024 wrote to memory of 4988	4024	java.exe	icacls.exe
PID 4024 wrote to memory of 4988	4024	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Badlion Client 4.0.1\Badlion Client.app\Contents\libs\optifineinstallwrapper.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
a0327c340bb13b17652c4f4a23657422

SHA1
ad1f21acf8be20b78b5838c4b1814478a9b88754

SHA256
c7fddf6b9639755a5c7dca4f8526930f8510f4211c9e70855252f114bb217993

SHA512
c477889ef0c3468d35fa5b260111726e0dec6c9ef01d0e636896ff2fb27febf26603f6c264287c218680303d7cf3e137b6979f5a6b8d00cba658417a89932968

Download Submit
memory/4024-4-0x0000024549E40000-0x000002454AE40000-memory.dmp

Filesize
16.0MB

Download
memory/4024-12-0x0000024549E20000-0x0000024549E21000-memory.dmp

Filesize
4KB

Download