ca438598c383fab834c5e52369032e30c657f8f70cbb095f181ea7779d34bba1

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2024, 07:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Telexcopy.pdf.jar
Size

395KB
MD5

81e621517a407ae36da0a767b960c88c
SHA1

421f3489d10b803e2dd64d0b47ce619da2da448a
SHA256

ca438598c383fab834c5e52369032e30c657f8f70cbb095f181ea7779d34bba1
SHA512

cd0510723447c5ace63f4ec9eb1aa0aa7d9d56b70f08b16c92c71b9825351122e59c1b5173e1e7288f59a8d732be122e90be397521f80e71328d743ad172788c
SSDEEP

192:WtZ3hAJtjmbwOqaI55LEOkOYiDiMkCjvDhvLlSIz3v4M3LwsUE+1MB7hikCOrPiH:cZ3hOOJvsEOWGWCjvSmwM7wsTvQMC

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5096	icacls.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 5096	3428	java.exe	77
PID 3428 wrote to memory of 5096	3428	java.exe	77
PID 3428 wrote to memory of 4988	3428	java.exe	79
PID 3428 wrote to memory of 4988	3428	java.exe	79
PID 3428 wrote to memory of 1648	3428	java.exe	80
PID 3428 wrote to memory of 1648	3428	java.exe	80

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Telexcopy.pdf.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:5096
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -jar C:\Users\Admin\Links\explorer.jar
  2⤵
  - Drops file in Program Files directory
  PID:4988
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -jar C:\Users\Admin\Links\window.jar
  2⤵
  - Drops file in Program Files directory
  PID:1648

Network

DNS

mbycket45344.s3.eu-north-1.amazonaws.com

java.exe

Remote address:

8.8.8.8:53

Request

mbycket45344.s3.eu-north-1.amazonaws.com

IN A

Response

mbycket45344.s3.eu-north-1.amazonaws.com

IN CNAME

s3-r-w.eu-north-1.amazonaws.com

s3-r-w.eu-north-1.amazonaws.com

IN A

16.12.9.6

s3-r-w.eu-north-1.amazonaws.com

IN A

3.5.216.50
DNS

8.8.8.8.in-addr.arpa

java.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

6.9.12.16.in-addr.arpa

java.exe

Remote address:

8.8.8.8:53

Request

6.9.12.16.in-addr.arpa

IN PTR

Response

6.9.12.16.in-addr.arpa

IN PTR

s3-r-w eu-north-1 amazonawscom
DNS

nexusrules.officeapps.live.com

java.exe

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.243.29
DNS

29.243.111.52.in-addr.arpa

java.exe

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response

16.12.9.6:443

mbycket45344.s3.eu-north-1.amazonaws.com

tls

java.exe

221.1kB
11.9MB
4685
8546

8.8.8.8:53

mbycket45344.s3.eu-north-1.amazonaws.com

dns

java.exe

368 B
641 B
5
5

DNS Request

mbycket45344.s3.eu-north-1.amazonaws.com

DNS Response

16.12.9.6

3.5.216.50

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

6.9.12.16.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.243.29

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
85f48984bfc4ef4026c579925c7f703d

SHA1
2613029aa6825275aa85991f8389d0070f7df4fe

SHA256
29de91d6a2bc2f6779eb0985b89976d70db847554b1e356e28c0824dd9df54fa

SHA512
6db622efb67017f706cbfb720c5a99812818a9f55ac485278723e8653e91b9786a8604c4419574caab5955e45d4710fd94f601b6e9ca511762ce18813bbbaccf

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
7642d1d699f0f4388f28a82b518e9dc0

SHA1
78af97cd9a245bfbe5b5dc5771bd61831a57358b

SHA256
304081f0d42d2715836ca7f19f570efbeac93baf8b87cf29b4f22aedee442025

SHA512
a462647ddc0427cdb097cf0ef7c6c6f469a011bf624c6623da1998c2e73294f612ca683b24d4505e501533d2f532567d1bab51708a0e321388ff21bb1e8edaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache8004913419681813378.tmp

Filesize
10.2MB

MD5
87448d684fe373578e79e0c536d5181b

SHA1
c0351790f855b64b99d40da21eb6ea847634fa0b

SHA256
b6c74b0553aeab8555d72d038d9fd3a9c90e463debee0bd4434daffb0e475d76

SHA512
ec8b9317d3e3329c7f653b4a0aec13f092ffe51e4962d98f528c1b3640f7e7c121a6891bba627764d4115ad585aeff158d8dc58dca6ae6b2eac850bac112a5fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1637591879-962683004-3585269084-1000\83aa4cc77f591dfc2374580bbd95f6ba_6f6f3b96-c90d-49e3-bf49-af8f1b70c337

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\Links\explorer.jar

Filesize
361KB

MD5
6ba301a194e6de1e321ef6e82b15b610

SHA1
21cc7ee861ae7635ac352adca00e8e8a68f699b3

SHA256
30800c778491759bc4100d73e08e8d18b099c8d79178c104e1159f9de088aa1a

SHA512
2239fc2e7701f9e74d509cd5b373b3ca3f424c9f17240317f10f77c3d2c141f3be614294770f0f4f503aeac0fb5d1d230a5891640174560c91402746abb74814

Download Submit
C:\Users\Admin\Links\window.jar

Filesize
9.6MB

MD5
6d01183d526c3fc01dde06b90977350c

SHA1
7f3fdab4e1ba7513fb3597310d3531ec831ee6ec

SHA256
b7205d8c2bb3672bbc15ba4f37189b8bce55e320bf917398e6018054bd2c09bf

SHA512
5d5365fb0884fd0864dfe475c7ebdbf0c7ff802542418a1105c9cf3210ae91c86c8192497c9c66d8ec2f8bfa42d190ae2fe44fb0d201926b36c09ade4814f3a7

Download Submit
memory/1648-168-0x0000019E32250000-0x0000019E33250000-memory.dmp

Filesize
16.0MB

Download
memory/1648-125-0x0000019E30A20000-0x0000019E30A21000-memory.dmp

Filesize
4KB

Download
memory/1648-172-0x0000019E32250000-0x0000019E33250000-memory.dmp

Filesize
16.0MB

Download
memory/1648-107-0x0000019E30A20000-0x0000019E30A21000-memory.dmp

Filesize
4KB

Download
memory/1648-108-0x0000019E32250000-0x0000019E33250000-memory.dmp

Filesize
16.0MB

Download
memory/1648-178-0x0000019E32250000-0x0000019E33250000-memory.dmp

Filesize
16.0MB

Download
memory/1648-185-0x0000019E32250000-0x0000019E33250000-memory.dmp

Filesize
16.0MB

Download
memory/1648-189-0x0000019E30A20000-0x0000019E30A21000-memory.dmp

Filesize
4KB

Download
memory/3428-64-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-55-0x000002372FEE0000-0x000002372FEE1000-memory.dmp

Filesize
4KB

Download
memory/3428-78-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-76-0x000002372FEE0000-0x000002372FEE1000-memory.dmp

Filesize
4KB

Download
memory/3428-82-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-87-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-196-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-65-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-4-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-43-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-51-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-12-0x000002372FEE0000-0x000002372FEE1000-memory.dmp

Filesize
4KB

Download
memory/3428-49-0x000002372FEE0000-0x000002372FEE1000-memory.dmp

Filesize
4KB

Download
memory/3428-47-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-17-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-77-0x000002372FEE0000-0x000002372FEE1000-memory.dmp

Filesize
4KB

Download
memory/3428-29-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/3428-39-0x0000023731740000-0x0000023732740000-memory.dmp

Filesize
16.0MB

Download
memory/4988-132-0x0000019AC3650000-0x0000019AC4650000-memory.dmp

Filesize
16.0MB

Download
memory/4988-151-0x0000019AC38D0000-0x0000019AC38E0000-memory.dmp

Filesize
64KB

Download
memory/4988-154-0x0000019AC3900000-0x0000019AC3910000-memory.dmp

Filesize
64KB

Download
memory/4988-157-0x0000019AC3930000-0x0000019AC3940000-memory.dmp

Filesize
64KB

Download
memory/4988-160-0x0000019AC3650000-0x0000019AC4650000-memory.dmp

Filesize
16.0MB

Download
memory/4988-153-0x0000019AC3650000-0x0000019AC4650000-memory.dmp

Filesize
16.0MB

Download
memory/4988-144-0x0000019AC3650000-0x0000019AC4650000-memory.dmp

Filesize
16.0MB

Download
memory/4988-143-0x0000019AC1E30000-0x0000019AC1E31000-memory.dmp

Filesize
4KB

Download
memory/4988-124-0x0000019AC3650000-0x0000019AC4650000-memory.dmp

Filesize
16.0MB

Download
memory/4988-109-0x0000019AC1E30000-0x0000019AC1E31000-memory.dmp

Filesize
4KB

Download
memory/4988-96-0x0000019AC3650000-0x0000019AC4650000-memory.dmp

Filesize
16.0MB

Download
memory/4988-197-0x0000019AC3650000-0x0000019AC4650000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.