Malware Analysis Report

2025-08-10 12:05

Sample ID 240222-zat25afc43
Target netty-all-4.0.23.Final.jar
SHA256 50510e9c9874b539b98ef931fe7eeeb002f6b5b1976ea37669b9493426294561
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

50510e9c9874b539b98ef931fe7eeeb002f6b5b1976ea37669b9493426294561

Threat Level: Shows suspicious behavior

The file netty-all-4.0.23.Final.jar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 20:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 20:31

Reported

2024-02-22 20:34

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\netty-all-4.0.23.Final.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\netty-all-4.0.23.Final.jar

Network

N/A

Files

memory/2844-3-0x0000000002740000-0x0000000005740000-memory.dmp

memory/2844-10-0x0000000000450000-0x0000000000451000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 20:31

Reported

2024-02-22 20:35

Platform

win10v2004-20240221-en

Max time kernel

142s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\netty-all-4.0.23.Final.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 4864 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 2960 wrote to memory of 4864 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\netty-all-4.0.23.Final.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/2960-2-0x0000021F83740000-0x0000021F84740000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 1eeba877b4898f796591c5255cfd07c8
SHA1 89c6277eab47adebca28bcbaa1e6425f6497491d
SHA256 1fbe96c3f302704fbe6457a65d265554393da5fc2f8c102d246842a0d4649ef4
SHA512 9a1c019beb0ec08998ae7c06ff0151addc85f76a42e3563ed96aea09dcebeab66686abf93b2624c96143f0b25ef989a3f40de4edbefa99996661135ce856a13d

memory/2960-12-0x0000021F83720000-0x0000021F83721000-memory.dmp