9177ca34e9e0244328e0b83f083b02e95bcd4893bcea21e216378ac3243333f6

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMAGE04082021.jar
Size

105KB
MD5

2f514a6973bdd72c6f0cb740a88c53be
SHA1

aa1a3e40ffaabf1d66a269555b9b015e797a0e22
SHA256

bd6ac640b46be854c95ed835f5dfcdeb95559d5b75a222e1b342891233d53ccc
SHA512

731ed2cd864eb5734ca1340d59eccfdc4336fc3ff49f317c14b548dae274bdca86e1d08b69d6ca7df4feee5c1ca3d892872f20c4595c15cc2c6b1a6fcd76ecbd
SSDEEP

3072:QgIITcDXy1FZm/EkRlpo95EBs6XRjgaup:Qhe1F9H9Ms6XRjHup

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4920 icacls.exe

pid	process
4920	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 1916 wrote to memory of 4920 1916 java.exe icacls.exe
PID 1916 wrote to memory of 4920 1916 java.exe icacls.exe

description	pid	process	target process
PID 1916 wrote to memory of 4920	1916	java.exe	icacls.exe
PID 1916 wrote to memory of 4920	1916	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\IMAGE04082021.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
664e787a0d558fdb8fd0d796a13cb952

SHA1
258f2d8529d2261c629984029a5abc101b9ce602

SHA256
e88672b1f5ee90a4d799d2667a4360a97fc56c40d4ac1e465cbed776c3ebac16

SHA512
3ef83223d964b4e5519c481e4b473d7c7932f8f171aaffc9b7e8d5d44cbd6ebe6d841b54e6864df8f4e68981a0482068981d3559e87974cc32d27ea74d160567

Download Submit
memory/1916-31-0x000001DE6CDE0000-0x000001DE6DDE0000-memory.dmp

Filesize
16.0MB

Download
memory/1916-15-0x000001DE6B430000-0x000001DE6B431000-memory.dmp

Filesize
4KB

Download
memory/1916-17-0x000001DE6B430000-0x000001DE6B431000-memory.dmp

Filesize
4KB

Download
memory/1916-18-0x000001DE6CDE0000-0x000001DE6DDE0000-memory.dmp

Filesize
16.0MB

Download
memory/1916-27-0x000001DE6B430000-0x000001DE6B431000-memory.dmp

Filesize
4KB

Download
memory/1916-4-0x000001DE6CDE0000-0x000001DE6DDE0000-memory.dmp

Filesize
16.0MB

Download
memory/1916-34-0x000001DE6D080000-0x000001DE6D090000-memory.dmp

Filesize
64KB

Download
memory/1916-35-0x000001DE6D090000-0x000001DE6D0A0000-memory.dmp

Filesize
64KB

Download
memory/1916-32-0x000001DE6D060000-0x000001DE6D070000-memory.dmp

Filesize
64KB

Download
memory/1916-33-0x000001DE6D0C0000-0x000001DE6D0D0000-memory.dmp

Filesize
64KB

Download
memory/1916-36-0x000001DE6D0A0000-0x000001DE6D0B0000-memory.dmp

Filesize
64KB

Download
memory/1916-37-0x000001DE6D0B0000-0x000001DE6D0C0000-memory.dmp

Filesize
64KB

Download
memory/1916-38-0x000001DE6CDE0000-0x000001DE6DDE0000-memory.dmp

Filesize
16.0MB

Download
memory/1916-39-0x000001DE6CDE0000-0x000001DE6DDE0000-memory.dmp

Filesize
16.0MB

Download