Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 02:28
Behavioral task
behavioral1
Sample
f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb.jar
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb.jar
Resource
win10v2004-20240412-en
General
-
Target
f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb.jar
-
Size
628KB
-
MD5
bc34f4e23dca52ed6425b46a3dcf5e95
-
SHA1
e82affa4fea489146e3deb803efdb561a394073f
-
SHA256
f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb
-
SHA512
2f3a171e9ada6f10b4ed182f5fdb4ec7086f99def55db52f2663980eff2009048b6a240f30c7c9e3ba518b4075c79bc77faa5e613e590f823abc1e613385123a
-
SSDEEP
12288:Cz396wbsskjH0PljDlBPfPSlU5XhBFDYU1SkzuiSn/BIu9:s39bssOUP1l9fPScXhfg3z
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation wscript.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Drops file in Program Files directory 24 IoCs
Processes:
javaw.exejava.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
java.exewscript.exejavaw.exedescription pid process target process PID 4536 wrote to memory of 3828 4536 java.exe icacls.exe PID 4536 wrote to memory of 3828 4536 java.exe icacls.exe PID 4536 wrote to memory of 3956 4536 java.exe wscript.exe PID 4536 wrote to memory of 3956 4536 java.exe wscript.exe PID 3956 wrote to memory of 612 3956 wscript.exe javaw.exe PID 3956 wrote to memory of 612 3956 wscript.exe javaw.exe PID 612 wrote to memory of 2372 612 javaw.exe java.exe PID 612 wrote to memory of 2372 612 javaw.exe java.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\zbrspjjraf.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\whxvc.txt"3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.301597956521741041723863726205309536.class4⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD53780823baacf39173fdfe3b49aa0556b
SHA17546747ba282273f92cdbb79506e435aa9df30c3
SHA256a466428228802e4ce3a18b87c8f2fddbd8b23959a5162fc8318da85b84f3ddb9
SHA512b2d9be915a04cb8cddb2101fa96455a83aad07ab78ec15bf8ed878dbc7b040f2a7fa3118932ad31982a152abe2484b3730d5b67e526258d91d5c82cf66199662
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD50e68d818b21c391c1f6fb040f046c999
SHA1e05cea059707b692bc82c00f3370822d9b2f72c4
SHA256ea852b0cffea4a7124c3a8450035cc9a8733cae330247dbcb400d4e367136d97
SHA5128fa64b0c88c2dc0d1c6f6ba272ac387d156e46f37640448375015b30414172cad353c82c47b74fc4965a3790643733e47161a90784c79449de980ece65f99e5d
-
C:\Users\Admin\AppData\Local\Temp\_0.301597956521741041723863726205309536.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\whxvc.txtFilesize
479KB
MD5d7d1131452a0427e78a2710d280537b5
SHA1279b601cb79c5d1790910c839125a45b2f43101d
SHA2564c81c42509988b29c4d77288ed55849de919676fbca4a938bf773f893f2e547e
SHA512483d03f5dcf0011679463a68f233cb50796c056d1045cc6eeaccae41ffbe51e562a186f6cd6196b0c3b63631553a7d780d6d77648117903e4d58238b2ef8d198
-
C:\Users\Admin\zbrspjjraf.jsFilesize
945KB
MD51d266565196b28ef3e62398a3fdb63cd
SHA1d8e7f9d683f3db330c9225ab708d0a4095f2eea1
SHA2565fc03a19d37c227c9cfe59a5e962956fb46ae2a7969e0cf0ea1f806e201295a0
SHA51251f1a887ba9d6886b10263d06811899313dfcb1469ef64f70658875e4a7da721cf4aee626c3539762d42183a9a1c17d77cb0b80bc7165de73481b9e8d261d3a2
-
memory/612-24-0x000001B9D1AA0000-0x000001B9D2AA0000-memory.dmpFilesize
16.0MB
-
memory/612-39-0x000001B9D0210000-0x000001B9D0211000-memory.dmpFilesize
4KB
-
memory/612-54-0x000001B9D1AA0000-0x000001B9D2AA0000-memory.dmpFilesize
16.0MB
-
memory/612-55-0x000001B9D1D20000-0x000001B9D1D30000-memory.dmpFilesize
64KB
-
memory/612-58-0x000001B9D1AA0000-0x000001B9D2AA0000-memory.dmpFilesize
16.0MB
-
memory/2372-40-0x000001730DFE0000-0x000001730EFE0000-memory.dmpFilesize
16.0MB
-
memory/4536-4-0x000001CE00000000-0x000001CE01000000-memory.dmpFilesize
16.0MB
-
memory/4536-13-0x000001CE75850000-0x000001CE75851000-memory.dmpFilesize
4KB