Analysis
-
max time kernel
130s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 07:09
Behavioral task
behavioral1
Sample
SOA FROM UNIBEST--JAN-FEB- 2024.jar
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
SOA FROM UNIBEST--JAN-FEB- 2024.jar
Resource
win10v2004-20240226-en
General
-
Target
SOA FROM UNIBEST--JAN-FEB- 2024.jar
-
Size
182KB
-
MD5
72d880a48d6c4ae3c32f6a740dbfc60c
-
SHA1
33ab6e72cb5fcc5bb813214b5ca81602f2fb3a3e
-
SHA256
8a56975848a1d89a620394b492ff9ee0c572b986c8823013c7c6ffc41b135626
-
SHA512
c2c396e3d3c785ca472a7776d447a69062e296a9f427dadf6d9c977d8fb6345066b4503d864a12ae4a488ce4d4cc6c14f17ef849388f869295b4cdcef0a10ee1
-
SSDEEP
3072:Yso1+wQs6Xf5uxo99SzQIHes6HaZshUSjRj55Ogem6Dwwxspzxn8:B7wgvcxo9931vR9KD8wxqV8
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
java.exedescription pid process target process PID 5056 wrote to memory of 2536 5056 java.exe icacls.exe PID 5056 wrote to memory of 2536 5056 java.exe icacls.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\SOA FROM UNIBEST--JAN-FEB- 2024.jar"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD568c135dc2fcdf59b84a5a18c8e06389c
SHA1ab217f7c7c4192afa03cd12b9e7749b603618b43
SHA256943a3963d829725dba9d7d00eee008e30e270f8dedd485843880712097c0ea96
SHA512879322fe9d410f68a6b91dc967d865d8373089944ecea07f5d5bd86d6a9b3eb18aaafb24dd09d69d7840527e2bfc8b427728f904e4380f95554515e9fe3678e8
-
memory/5056-4-0x000001EC00000000-0x000001EC01000000-memory.dmpFilesize
16.0MB
-
memory/5056-18-0x000001EC00000000-0x000001EC01000000-memory.dmpFilesize
16.0MB
-
memory/5056-19-0x000001EC72320000-0x000001EC72321000-memory.dmpFilesize
4KB
-
memory/5056-25-0x000001EC00290000-0x000001EC002A0000-memory.dmpFilesize
64KB
-
memory/5056-26-0x000001EC00000000-0x000001EC01000000-memory.dmpFilesize
16.0MB
-
memory/5056-27-0x000001EC002A0000-0x000001EC002B0000-memory.dmpFilesize
64KB
-
memory/5056-28-0x000001EC002B0000-0x000001EC002C0000-memory.dmpFilesize
64KB
-
memory/5056-29-0x000001EC002C0000-0x000001EC002D0000-memory.dmpFilesize
64KB