Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 12:16
Behavioral task
behavioral1
Sample
shipping bill.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
shipping bill.jar
Resource
win10v2004-20240221-en
General
-
Target
shipping bill.jar
-
Size
126KB
-
MD5
31ac77837bcf9eab9de823001a548afe
-
SHA1
06925f6d41bf7d2a04989095feb9a641e069ae17
-
SHA256
fe05fed36a2b6c2118716120f085ebc72a3baad8e3372942e57926731c8919ab
-
SHA512
15d6cf4d1740302258dbf690b88dce0ba9fcf5d36f57244d688d5009952c182a8db71d0e10925f15d2c9ff2201057dcc910a4e2abc2400971b5c9f267f828f11
-
SSDEEP
3072:bQskmZaPlSPkevgkUlMyr9VhMQknMaxDKLc5QHN8Qbf:7UdYvgj2iMMalBCNj7
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
java.exedescription pid process target process PID 4972 wrote to memory of 4092 4972 java.exe icacls.exe PID 4972 wrote to memory of 4092 4972 java.exe icacls.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\shipping bill.jar"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD51d2cd464019be4f69043d505b7e56772
SHA139ec5298db777770a3fc40a0677d971d1cae215f
SHA256c9360fef82ed917335bd5ac1a11ef10102e21f71091c1a3e0cef9003f133ae39
SHA512d05821b96ae9b9356f20eeaeb8145a0a5e57b4b271c047874b0390c5187a3dc29f6798e66d3aa0c6c5f5c6ad2cf4d08af527465ecd2022d56d4b2e64ba6e29f2
-
memory/4972-4-0x000001C280000000-0x000001C281000000-memory.dmpFilesize
16.0MB
-
memory/4972-15-0x000001C280000000-0x000001C281000000-memory.dmpFilesize
16.0MB
-
memory/4972-16-0x000001C280000000-0x000001C281000000-memory.dmpFilesize
16.0MB