Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 17:31
Behavioral task
behavioral1
Sample
Factura 39.jar
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Factura 39.jar
Resource
win10v2004-20240226-en
General
-
Target
Factura 39.jar
-
Size
209KB
-
MD5
3333050c3c251d6d86514742a16005e4
-
SHA1
672122d7cb8b07c939f4bf1415e9c253bd3e41e4
-
SHA256
67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7
-
SHA512
208d54ece920d384dd8a025c3c70114ec040713c3aa6991f574fa343853d2f098bc8bebc213f35f605c6c3c52d72be1f51d5a48f77ff76a959cffac5d1d78559
-
SSDEEP
6144:fm98tJ9Hd/A8FSywzy4RrCVws46CumPHVmyKk:fmatjt7Rw/ews46qNKk
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
java.exedescription pid process target process PID 1252 wrote to memory of 4240 1252 java.exe icacls.exe PID 1252 wrote to memory of 4240 1252 java.exe icacls.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Factura 39.jar"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD5a249d91daba53034a2a19268dc77ea1b
SHA135699166d8fd823fc36b59915f2fe68938fa7f4d
SHA2562c73404d3ef4dddf0ce1e1a6d73abe8403472e4c5f0c7dd1cab5054ca69f9881
SHA5129bf1fa82cdd59c0d7cef52e24acac3eb3dbbe35cab4b3d89454f3717220435a9055d7f28758a685bce7800e30550b283e59d27377fb74fea54ff3338d68014b5
-
memory/1252-5-0x00000241DE5F0000-0x00000241DF5F0000-memory.dmpFilesize
16.0MB
-
memory/1252-17-0x00000241DE5F0000-0x00000241DF5F0000-memory.dmpFilesize
16.0MB
-
memory/1252-19-0x00000241DE5D0000-0x00000241DE5D1000-memory.dmpFilesize
4KB
-
memory/1252-24-0x00000241DE870000-0x00000241DE880000-memory.dmpFilesize
64KB
-
memory/1252-25-0x00000241DE880000-0x00000241DE890000-memory.dmpFilesize
64KB
-
memory/1252-26-0x00000241DE5F0000-0x00000241DF5F0000-memory.dmpFilesize
16.0MB
-
memory/1252-27-0x00000241DE8A0000-0x00000241DE8B0000-memory.dmpFilesize
64KB
-
memory/1252-28-0x00000241DE8B0000-0x00000241DE8C0000-memory.dmpFilesize
64KB
-
memory/1252-29-0x00000241DE8C0000-0x00000241DE8D0000-memory.dmpFilesize
64KB
-
memory/1252-30-0x00000241DE5F0000-0x00000241DF5F0000-memory.dmpFilesize
16.0MB