Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2024 15:16
Behavioral task
behavioral1
Sample
invoice58499.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
invoice58499.jar
Resource
win10v2004-20240221-en
General
-
Target
invoice58499.jar
-
Size
209KB
-
MD5
1f1f27ded1ea733d6be70e13bb1ecd60
-
SHA1
d03405a17b31e3f58ab90d4cb1ee08f9ba0cf131
-
SHA256
cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb
-
SHA512
e8f50c947fb25b286185bbeda4ba70b2efbb545584e8f7ab018752f7dec84b1ea3aa13f052620b8e7f2d635d4e480cd3657af71cc29c524512b4cd35879a88c4
-
SSDEEP
3072:jVhrFK2o50lj/H9OtNodDZawwcSHpHA1QNPmnztEHb7yR7MBprhF19AyGZV4etuc:jp7jx1fwcCg1QNPmzmKdMBnF/c42
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
java.exedescription pid process target process PID 3268 wrote to memory of 1800 3268 java.exe icacls.exe PID 3268 wrote to memory of 1800 3268 java.exe icacls.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\invoice58499.jar1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD5791827b9e1cf5f38de09d3f53ddd6215
SHA1dfe51bac267bace45eb0557e692a3339755ebd29
SHA2562f12b1978fdcbf519ceefda713ddf01a5115eb85124902535e2dbf816467f18f
SHA512970c1b3fc35af413c1437cc09abc407eb553c1a05e14cd44e664ee8bf517dd522d78202827f43f4df4cbc3a91ea513ee8cef6d142fb90a256de11eec955f8107
-
memory/3268-4-0x000001DD902C0000-0x000001DD912C0000-memory.dmpFilesize
16.0MB
-
memory/3268-12-0x000001DD8E9F0000-0x000001DD8E9F1000-memory.dmpFilesize
4KB
-
memory/3268-17-0x000001DD902C0000-0x000001DD912C0000-memory.dmpFilesize
16.0MB
-
memory/3268-19-0x000001DD90540000-0x000001DD90550000-memory.dmpFilesize
64KB
-
memory/3268-20-0x000001DD90550000-0x000001DD90560000-memory.dmpFilesize
64KB
-
memory/3268-21-0x000001DD902C0000-0x000001DD912C0000-memory.dmpFilesize
16.0MB