Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 03:54
Behavioral task
behavioral1
Sample
SB COPY6827366180.PDF.jar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SB COPY6827366180.PDF.jar
Resource
win10v2004-20231215-en
General
-
Target
SB COPY6827366180.PDF.jar
-
Size
40KB
-
MD5
0ec695117cb3bf0f1a8cef9a77f7675a
-
SHA1
e1152ed31dad5535bbeb5b63d61491d5fadd4787
-
SHA256
243a5315c031347617620bb5c8b694b3308932530519abc04e00c7c4fd7f7c62
-
SHA512
b9b27c10a0363fc38a219e8c9b795e284003e94b5851c30e30907b766bba88aa2e81701edd222461a5379a4daca0f094527f2fdca3da132aafede02d27bc8bf7
-
SSDEEP
768:qzXFN70ZIv326vOAZT1S0dNMAkuyC9iS7hKouufPN7c:qzXj7eYNJkchvN4
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
java.exedescription pid process target process PID 4524 wrote to memory of 4708 4524 java.exe icacls.exe PID 4524 wrote to memory of 4708 4524 java.exe icacls.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\SB COPY6827366180.PDF.jar"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD531db826bd42448097dd8d06dbf74a60d
SHA1c4e4ff8e4732bb86e6452be553cd34b3ccae18ea
SHA2564dd693c18de1403464952b369098b7c052ab2412338184b89fb27f08d96ea59e
SHA512f7605bb8fc7828d520ff7d175dbc670b6352696d53beb06f2057e9813eaff56bdd69fd8fd09dee6d6ccdb5c7b99d025b03bad3245543700fc9f1e8d513e8e31d
-
memory/4524-4-0x000001B5AD160000-0x000001B5AE160000-memory.dmpFilesize
16.0MB