Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 09:03
Behavioral task
behavioral1
Sample
cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb.jar
Resource
win10v2004-20240221-en
General
-
Target
cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb.jar
-
Size
209KB
-
MD5
1f1f27ded1ea733d6be70e13bb1ecd60
-
SHA1
d03405a17b31e3f58ab90d4cb1ee08f9ba0cf131
-
SHA256
cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb
-
SHA512
e8f50c947fb25b286185bbeda4ba70b2efbb545584e8f7ab018752f7dec84b1ea3aa13f052620b8e7f2d635d4e480cd3657af71cc29c524512b4cd35879a88c4
-
SSDEEP
3072:jVhrFK2o50lj/H9OtNodDZawwcSHpHA1QNPmnztEHb7yR7MBprhF19AyGZV4etuc:jp7jx1fwcCg1QNPmzmKdMBnF/c42
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
java.exedescription pid process target process PID 5348 wrote to memory of 1184 5348 java.exe icacls.exe PID 5348 wrote to memory of 1184 5348 java.exe icacls.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb.jar1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:1184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD5aa9c910d73d99f9d35cb32ac44db1308
SHA12bf80e2d4c11d8a780e1e132b849afc11d8549d1
SHA256616b3ea379341c21f70104e5781d72f4be5a596b1cc27bafb70588de6f89d74b
SHA5122c029c7350dae1e2c846003b945f17c1b4667de532df2723611ec251d0810545a8ea0f6f9b06f4e910996680d9c97f3dffbe941209ee210fadfa395c57fbfe4e
-
memory/5348-4-0x000001F12E3F0000-0x000001F12F3F0000-memory.dmpFilesize
16.0MB
-
memory/5348-12-0x000001F12E3D0000-0x000001F12E3D1000-memory.dmpFilesize
4KB