23470d051b914ebef24b5963b5cdfc2d88feedd783fd85766d1eb0397314b75e

General

Target

8e23008d7ada844193b579c1194ed0bb.jar
Size

129KB
MD5

8e23008d7ada844193b579c1194ed0bb
SHA1

e41203fbb4e3fc56da36de0f16da8ea013835455
SHA256

23470d051b914ebef24b5963b5cdfc2d88feedd783fd85766d1eb0397314b75e
SHA512

aa65bb14c09782f67870278d97ab783dbe88c97d62cff44d2fbae649cb1b8ff045231df8b51e0b5ff695173a57b155be7b1b377dee5aa1df5c99a0d31f5e9cde
SSDEEP

3072:FMT7X2SUszVuItHjPpPeM3jbFO6C11vZYPULkHImQq+MXa5Sh9UALa:FGMszVuKDPgM3jbFOXfvy1dQqjaOG

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3096	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 3096	2020	java.exe	85
PID 2020 wrote to memory of 3096	2020	java.exe	85
PID 2020 wrote to memory of 4412	2020	java.exe	87
PID 2020 wrote to memory of 4412	2020	java.exe	87
PID 4412 wrote to memory of 2476	4412	wscript.exe	88
PID 4412 wrote to memory of 2476	4412	wscript.exe	88
PID 4412 wrote to memory of 3764	4412	wscript.exe	89
PID 4412 wrote to memory of 3764	4412	wscript.exe	89

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\8e23008d7ada844193b579c1194ed0bb.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3096
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\fttmjknmdk.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vBlHdPbRXO.js"
    3⤵
    PID:2476
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tsfokwkw.txt"
    3⤵
    PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
5b1e0e11ec574839c68dd24872556529

SHA1
c5fdeeae73a41c1150c033e43736621a5e2d5085

SHA256
e42c6d8eb6f3c7af9415f16f13a67700f5d91427e7f9d3188979bae74a210556

SHA512
519139e76223cb2202d6bce5b702a7d3bf3abe610750bd0607a4c7a09469fd9fd889c9d8b6e950eebe57dbb74e18c5a693d57b638f8b52219534fd73e216fa41

Download Submit
C:\Users\Admin\AppData\Roaming\tsfokwkw.txt

Filesize
64KB

MD5
0578b746a9101f82296ce8da47b00c29

SHA1
f0bc5eef91a3e71c5c1005023bb18e2b5ff6f184

SHA256
40b90b0bcfa41fe14037e835724ac3d3792cef69cf25698020186013068128a2

SHA512
be71203221fabe2c66b67b29ee46e8a50eda701929a2bf404d3184fbf5e439e5ae60f0c3726bb082b4a79d84f12a9b1c135f85fab987a482c893ff7507fb82fd

Download Submit
C:\Users\Admin\AppData\Roaming\vBlHdPbRXO.js

Filesize
10KB

MD5
3d1f00e48df980bbe27e044f1806ac45

SHA1
ca18bf1aa56088a4b4fc662641db53e759ca02c5

SHA256
c662504121a016a1d03230f2b588dc3e46a0dc535b374ceea2812b5edd5bb03f

SHA512
925521347e5797e64091baa676a1a28e1ba34bde07672ed2a830c7487ad1a216c499eb2dcd646255bbe2d6944ba283924e9f0ed92ad33f1bcc17c16655ab9dd3

Download Submit
C:\Users\Admin\fttmjknmdk.js

Filesize
205KB

MD5
039aa1459dff7f925387f99398485238

SHA1
ae030e4bc78bc8725ffb7911d77a820003059531

SHA256
43b48dab6f4327b867221688c4f77d57a43faba5067698dd37c8d1a63229056a

SHA512
484d67e334512eedf4636606b16b03032e4ac7d28d450d28789b3a8a3b6dadac573aeb9d34d2d2e66f1e2f839da410c8ef12b602d0a4db37c0b72c3671079503

Download Submit
memory/2020-2-0x0000019E8C3B0000-0x0000019E8D3B0000-memory.dmp

Filesize
16.0MB

Download
memory/2020-14-0x0000019E8AB80000-0x0000019E8AB81000-memory.dmp

Filesize
4KB

Download
memory/3764-40-0x000001BDD6DF0000-0x000001BDD7DF0000-memory.dmp

Filesize
16.0MB

Download
memory/3764-32-0x000001BDD6DF0000-0x000001BDD7DF0000-memory.dmp

Filesize
16.0MB

Download
memory/3764-33-0x000001BDD5560000-0x000001BDD5561000-memory.dmp

Filesize
4KB

Download
memory/3764-41-0x000001BDD5560000-0x000001BDD5561000-memory.dmp

Filesize
4KB

Download
memory/3764-51-0x000001BDD5560000-0x000001BDD5561000-memory.dmp

Filesize
4KB

Download
memory/3764-55-0x000001BDD6DF0000-0x000001BDD7DF0000-memory.dmp

Filesize
16.0MB

Download
memory/3764-70-0x000001BDD6DF0000-0x000001BDD7DF0000-memory.dmp

Filesize
16.0MB

Download
memory/3764-76-0x000001BDD6DF0000-0x000001BDD7DF0000-memory.dmp

Filesize
16.0MB

Download
memory/3764-75-0x000001BDD5560000-0x000001BDD5561000-memory.dmp

Filesize
4KB

Download
memory/3764-83-0x000001BDD6DF0000-0x000001BDD7DF0000-memory.dmp

Filesize
16.0MB

Download
memory/3764-163-0x000001BDD6DF0000-0x000001BDD7DF0000-memory.dmp

Filesize
16.0MB

Download
memory/3764-170-0x000001BDD6DF0000-0x000001BDD7DF0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing