fbff2ebba99bfa194af533852062c6d60831c7cc3801d4af980c329721484a28

General

Target

Aristois-Free.jar
Size

6.6MB
MD5

4cad86ed173ff0dad198582d86bf62b6
SHA1

d25bd59b411076ccc1ed4b4daef78aef093a9d3d
SHA256

fbff2ebba99bfa194af533852062c6d60831c7cc3801d4af980c329721484a28
SHA512

e233c3ba1b3aeab0e286ad46e7ac4f34ae2207269c7a624bc29d90f14e6ff2dac4d74785414966569ab8da0b2d65d591eadd8884c1989976c361b5ff0c87aea2
SSDEEP

196608:N0EY4XwEff0cxykwL9g1leOnAU+1blTRLXKrC05:KYDf8FkHXAU8dJXKrb5

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4804	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
572	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1004	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	vlc.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1004	vlc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 4804	2356	java.exe	80
PID 2356 wrote to memory of 4804	2356	java.exe	80

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Aristois-Free.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:4804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:912

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\NewRename.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ConfirmProtect.cmd" "
1⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ConfirmProtect.cmd" "
1⤵
PID:1564

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ConfirmProtect.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
1c926eb9c193c077bf87d11f6abb3af9

SHA1
48b2b7ed2cbe126e442dc2ebbc53acf6ee092f6c

SHA256
3d48085b9a5f0f35668502769fb50f7ffba50e90b42f0537ae0005944a785243

SHA512
19ea02650e92cfdacb9a695cd5cc780920af0654a4733405bd3f167b4fcb5cfc417f4580ee31e8384990f6b6d550f62c65335a09accd70fed01e853925dce0e0

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
77B

MD5
89366e497e206687f657893c7fd35d0c

SHA1
b21e9ca52a65e4d51a43a001890d3a0255dde37f

SHA256
818a290381eeae0a806c0da9ef45a79523d37b7bf12e0c36b41051c165b49913

SHA512
ec4d9c47e7f45c5dafe5501bb9853f2933eed2d64986cb0a644ffea3d963ca61f93e48ece55c26fe83369413d4734006d21524577a21fd5f1cebb9091f512083

Download Submit
memory/1004-70-0x00007FF9B5200000-0x00007FF9B5312000-memory.dmp

Filesize
1.1MB

Download
memory/1004-69-0x00007FF9B5DA0000-0x00007FF9B6E4B000-memory.dmp

Filesize
16.7MB

Download
memory/1004-68-0x00007FF9B7860000-0x00007FF9B7B14000-memory.dmp

Filesize
2.7MB

Download
memory/1004-67-0x00007FF9C8C00000-0x00007FF9C8C34000-memory.dmp

Filesize
208KB

Download
memory/1004-66-0x00007FF796600000-0x00007FF7966F8000-memory.dmp

Filesize
992KB

Download
memory/2356-36-0x00000229002D0000-0x00000229002E0000-memory.dmp

Filesize
64KB

Download
memory/2356-40-0x0000022900320000-0x0000022900330000-memory.dmp

Filesize
64KB

Download
memory/2356-35-0x00000229002C0000-0x00000229002D0000-memory.dmp

Filesize
64KB

Download
memory/2356-4-0x0000022900000000-0x0000022901000000-memory.dmp

Filesize
16.0MB

Download
memory/2356-37-0x00000229002F0000-0x0000022900300000-memory.dmp

Filesize
64KB

Download
memory/2356-38-0x0000022900000000-0x0000022901000000-memory.dmp

Filesize
16.0MB

Download
memory/2356-39-0x0000022900310000-0x0000022900320000-memory.dmp

Filesize
64KB

Download
memory/2356-34-0x00000229002B0000-0x00000229002C0000-memory.dmp

Filesize
64KB

Download
memory/2356-41-0x0000022900330000-0x0000022900340000-memory.dmp

Filesize
64KB

Download
memory/2356-42-0x0000022900000000-0x0000022901000000-memory.dmp

Filesize
16.0MB

Download
memory/2356-32-0x0000022900300000-0x0000022900310000-memory.dmp

Filesize
64KB

Download
memory/2356-33-0x00000229002A0000-0x00000229002B0000-memory.dmp

Filesize
64KB

Download
memory/2356-31-0x0000022900280000-0x0000022900290000-memory.dmp

Filesize
64KB

Download
memory/2356-27-0x0000022900000000-0x0000022901000000-memory.dmp

Filesize
16.0MB

Download
memory/2356-18-0x0000022900000000-0x0000022901000000-memory.dmp

Filesize
16.0MB

Download
memory/2356-12-0x00000229794C0000-0x00000229794C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing