kinsing | 095dab73e2b180f247c4f3b92d4d5e6da806c362bc64ea38d7d4a25ee768cc18

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Badlion Client 4.0.1/Badlion Client.app/Contents/libs/disruptor-3.4.2.jar
Size

81KB
MD5

6895a3c4f54cf92eef6530e9e2cd3c46
SHA1

e2543a63086b4189fbe418d05d56633bc1a815f7
SHA256

f412ecbb235c2460b45e63584109723dea8d94b819c78c9bfc38f50cba8546c0
SHA512

da76e44fc9834c6d9e21eafe2fe64604159dba99770946bd114823ba037ea0217ae3a13f5eaf29e28edf92fcfd4f20c60b7645d6f117c38c897594e1337a744c
SSDEEP

1536:oY+hjADvCviw+918+uBeKfaUxR1WLr+Q+i2:oY+hGyr+duB8aR1WeC2

Score

10^/10

kinsing discovery loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3716 icacls.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 4824 wrote to memory of 3716 4824 java.exe icacls.exe
PID 4824 wrote to memory of 3716 4824 java.exe icacls.exe

pid	process
3716	icacls.exe

description	pid	process	target process
PID 4824 wrote to memory of 3716	4824	java.exe	icacls.exe
PID 4824 wrote to memory of 3716	4824	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Badlion Client 4.0.1\Badlion Client.app\Contents\libs\disruptor-3.4.2.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
c29e40b442b58bc2a4115c298e90055b

SHA1
c242c3aacb5e4c79a3a6bac8ac96a3d125378e80

SHA256
1bb03b655c5b9c519fa4e05ecaac5ab4c6a70dce00f7af668cf3a3568f90b722

SHA512
54fcc2e1541e456dd6370e19d83c1c37218a60c9cfaa56ce579f530b15f1ecee26d2c82d1c38fd42dc24aaa84d57d742af6396f61481889a07f1dee952af782b

Download Submit
memory/4824-4-0x000001E9C3F00000-0x000001E9C4F00000-memory.dmp

Filesize
16.0MB

Download
memory/4824-11-0x000001E9C2730000-0x000001E9C2731000-memory.dmp

Filesize
4KB

Download
memory/4824-13-0x000001E9C3F00000-0x000001E9C4F00000-memory.dmp

Filesize
16.0MB

Download