Overview

overview

10

Static

static

10

f77617921c...eb.jar

windows7-x64

3

f77617921c...eb.jar

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb.jar

  • Size

    628KB

  • MD5

    bc34f4e23dca52ed6425b46a3dcf5e95

  • SHA1

    e82affa4fea489146e3deb803efdb561a394073f

  • SHA256

    f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb

  • SHA512

    2f3a171e9ada6f10b4ed182f5fdb4ec7086f99def55db52f2663980eff2009048b6a240f30c7c9e3ba518b4075c79bc77faa5e613e590f823abc1e613385123a

  • SSDEEP

    12288:Cz396wbsskjH0PljDlBPfPSlU5XhBFDYU1SkzuiSn/BIu9:s39bssOUP1l9fPScXhfg3z

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:3828
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\zbrspjjraf.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\whxvc.txt"
        3⤵
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Program Files\Java\jre-1.8\bin\java.exe
          "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.301597956521741041723863726205309536.class
          4⤵
          • Drops file in Program Files directory
          PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    3780823baacf39173fdfe3b49aa0556b

    SHA1

    7546747ba282273f92cdbb79506e435aa9df30c3

    SHA256

    a466428228802e4ce3a18b87c8f2fddbd8b23959a5162fc8318da85b84f3ddb9

    SHA512

    b2d9be915a04cb8cddb2101fa96455a83aad07ab78ec15bf8ed878dbc7b040f2a7fa3118932ad31982a152abe2484b3730d5b67e526258d91d5c82cf66199662

    Download Submit
  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    0e68d818b21c391c1f6fb040f046c999

    SHA1

    e05cea059707b692bc82c00f3370822d9b2f72c4

    SHA256

    ea852b0cffea4a7124c3a8450035cc9a8733cae330247dbcb400d4e367136d97

    SHA512

    8fa64b0c88c2dc0d1c6f6ba272ac387d156e46f37640448375015b30414172cad353c82c47b74fc4965a3790643733e47161a90784c79449de980ece65f99e5d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_0.301597956521741041723863726205309536.class
    Filesize

    241KB

    MD5

    781fb531354d6f291f1ccab48da6d39f

    SHA1

    9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

    SHA256

    97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

    SHA512

    3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\whxvc.txt
    Filesize

    479KB

    MD5

    d7d1131452a0427e78a2710d280537b5

    SHA1

    279b601cb79c5d1790910c839125a45b2f43101d

    SHA256

    4c81c42509988b29c4d77288ed55849de919676fbca4a938bf773f893f2e547e

    SHA512

    483d03f5dcf0011679463a68f233cb50796c056d1045cc6eeaccae41ffbe51e562a186f6cd6196b0c3b63631553a7d780d6d77648117903e4d58238b2ef8d198

    Download Submit
  • C:\Users\Admin\zbrspjjraf.js
    Filesize

    945KB

    MD5

    1d266565196b28ef3e62398a3fdb63cd

    SHA1

    d8e7f9d683f3db330c9225ab708d0a4095f2eea1

    SHA256

    5fc03a19d37c227c9cfe59a5e962956fb46ae2a7969e0cf0ea1f806e201295a0

    SHA512

    51f1a887ba9d6886b10263d06811899313dfcb1469ef64f70658875e4a7da721cf4aee626c3539762d42183a9a1c17d77cb0b80bc7165de73481b9e8d261d3a2

    Download Submit
  • memory/612-24-0x000001B9D1AA0000-0x000001B9D2AA0000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/612-39-0x000001B9D0210000-0x000001B9D0211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/612-54-0x000001B9D1AA0000-0x000001B9D2AA0000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/612-55-0x000001B9D1D20000-0x000001B9D1D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/612-58-0x000001B9D1AA0000-0x000001B9D2AA0000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/2372-40-0x000001730DFE0000-0x000001730EFE0000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/4536-4-0x000001CE00000000-0x000001CE01000000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/4536-13-0x000001CE75850000-0x000001CE75851000-memory.dmp
    Filesize

    4KB

    Download