f1ffeaf918203a78730cbfa7e31e97f19b85c871307206a61a3770428ea2a659

Resubmissions

21/02/2024, 18:57

240221-xl1b6seb59 7

21/02/2024, 18:55

240221-xkq24sdf3v 7

Analysis

max time kernel
135s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meteor-client-0.5.6-2021.jar
Size

4.2MB
MD5

abc5d2f8a3443125c4eb853478739bc5
SHA1

e98b2f44f462182895579a57bf3f842ce40097d2
SHA256

f1ffeaf918203a78730cbfa7e31e97f19b85c871307206a61a3770428ea2a659
SHA512

e5db7462a008759c99dcb978e5ca3d1689e7999673fb0e173e6ce415aa81b24924995dd79b76a751c365ccec7820fd3e373911d69f0c22e55471b9f73ccb8c4d
SSDEEP

98304:LM2SKrU1XdVTWClwxuBiURgk5L+Y3esnugeiKhDkKxESZ:LM2uNZWClwWRFL+Y3efEKxr

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5000	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2708	java.exe
2708	java.exe
2708	java.exe
2708	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 5000	2708	java.exe	88
PID 2708 wrote to memory of 5000	2708	java.exe	88

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\meteor-client-0.5.6-2021.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ed4d21dac64cb45104b50c03f1645a86

SHA1
fa539e89870e4019b4a2494be2f6071518e1c2ed

SHA256
6d6e5fd102922bbe2b25239cf010096a935e4c0259f178358d2843b3d2668b3d

SHA512
cfcebaa29b801f7717df3f7b377aea5958ee6d1df6939a05d2fea3bc5973a23c1cc7aa08c37c1c10bec2bc638cc316239dfb8c9ca99093693dc8e1b7d1828875

Download Submit
memory/2708-62-0x0000016839BF0000-0x000001683ABF0000-memory.dmp

Filesize
16.0MB

Download
memory/2708-15-0x00000168385A0000-0x00000168385A1000-memory.dmp

Filesize
4KB

Download
memory/2708-16-0x00000168385A0000-0x00000168385A1000-memory.dmp

Filesize
4KB

Download
memory/2708-19-0x00000168385A0000-0x00000168385A1000-memory.dmp

Filesize
4KB

Download
memory/2708-20-0x00000168385A0000-0x00000168385A1000-memory.dmp

Filesize
4KB

Download
memory/2708-4-0x0000016839BF0000-0x000001683ABF0000-memory.dmp

Filesize
16.0MB

Download
memory/2708-78-0x00000168385A0000-0x00000168385A1000-memory.dmp

Filesize
4KB

Download
memory/2708-84-0x0000016839BF0000-0x000001683ABF0000-memory.dmp

Filesize
16.0MB

Download
memory/2708-87-0x0000016839BF0000-0x000001683ABF0000-memory.dmp

Filesize
16.0MB

Download
memory/2708-90-0x0000016839BF0000-0x000001683ABF0000-memory.dmp

Filesize
16.0MB

Download
memory/2708-92-0x0000016839BF0000-0x000001683ABF0000-memory.dmp

Filesize
16.0MB

Download
memory/2708-93-0x0000016839BF0000-0x000001683ABF0000-memory.dmp

Filesize
16.0MB

Download
memory/2708-97-0x0000016839BF0000-0x000001683ABF0000-memory.dmp

Filesize
16.0MB

Download