58827ff2fffbefadc96229e71154d5c6f3a4176e7f364e531e2a935845eebbbd

Analysis

max time kernel
94s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58827ff2fffbefadc96229e71154d5c6f3a4176e7f364e531e2a935845eebbbd.jar
Size

64KB
MD5

b47a6b9fed2a61efe164a130b4f55881
SHA1

15e372e7e69b8b9084b9dbcb0518b3a8ae8e586b
SHA256

58827ff2fffbefadc96229e71154d5c6f3a4176e7f364e531e2a935845eebbbd
SHA512

8efc1894516db1dbe62efc514455252ebf103e737ff7c2bf35e9953038d378d7b571083d2cd6e0e12e9d249ba47adcf87b9ffd61e3976f38f9c5affa349722ca
SSDEEP

1536:78VCTm8IlFW+TD7xIia9WCPCc/8C9icqKBDeGCMQOulVOBXTANyWc8liB:7gqboFWU7CikXlevMQOulVYTANyWc8YB

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5112	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 5112	1424	java.exe	85
PID 1424 wrote to memory of 5112	1424	java.exe	85

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\58827ff2fffbefadc96229e71154d5c6f3a4176e7f364e531e2a935845eebbbd.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
556df5ee8b72d74384685d07e8564c81

SHA1
02930fd49deedc9135e95ed6d57e9f76ded598b4

SHA256
0f00e98d030cdd2d70a1bc7728ebc7ff43dbe36270c21c559f5ee4c934dfc985

SHA512
67348f7c70b99e286ce527b89c5b0b38f4c88a35d093266d7e6e6acb617b2fcbbfd8ec93eeefbe7c1c6afa6ecb202d255e49a12e59efbe3bc16f4dff1d28e521

Download Submit
memory/1424-4-0x000002D0B0A10000-0x000002D0B1A10000-memory.dmp

Filesize
16.0MB

Download
memory/1424-12-0x000002D0B09F0000-0x000002D0B09F1000-memory.dmp

Filesize
4KB

Download
memory/1424-17-0x000002D0B0C90000-0x000002D0B0CA0000-memory.dmp

Filesize
64KB

Download
memory/1424-18-0x000002D0B0A10000-0x000002D0B1A10000-memory.dmp

Filesize
16.0MB

Download
memory/1424-19-0x000002D0B0A10000-0x000002D0B1A10000-memory.dmp

Filesize
16.0MB

Download