0aa6491b61b2dbbd8e24f13dcfcd795fc62b943fa6ad9441435c673d010a7871

General

Target

1.16.5.jar
Size

639KB
MD5

f03c1b24fdfba7ec585ec71898b42f4e
SHA1

d1a453cb70e52f94386ce3d3009baa675a311004
SHA256

0aa6491b61b2dbbd8e24f13dcfcd795fc62b943fa6ad9441435c673d010a7871
SHA512

1a7cb53978236da109368ca04553ef6c42b77a7ccfa31af0e1491ea592d4db28b3af92fc7c4623c52acc9bacd3e62deef3e2a16296b2d4c4debe6280e49c9807
SSDEEP

12288:u/PhQN/rTZMrF4Vlwxszgu/DRL+hXwNqfqgyh6RNc30uE2hUS6VDEz:u/ZQNRMB4jDzguNmSqfLYp0uZhn6VDEz

Score

7^/10

discovery persistence

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4572 icacls.exe

pid	process
4572	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1714553273328.tmp"	reg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

java.exe

pid process

4616 java.exe
4616 java.exe
4616 java.exe
4616 java.exe

pid	process
4616	java.exe
4616	java.exe
4616	java.exe
4616	java.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

java.execmd.exe

description	pid	process	target process
PID 4616 wrote to memory of 4572	4616	java.exe	icacls.exe
PID 4616 wrote to memory of 4572	4616	java.exe	icacls.exe
PID 4616 wrote to memory of 2980	4616	java.exe	attrib.exe
PID 4616 wrote to memory of 2980	4616	java.exe	attrib.exe
PID 4616 wrote to memory of 852	4616	java.exe	cmd.exe
PID 4616 wrote to memory of 852	4616	java.exe	cmd.exe
PID 852 wrote to memory of 1364	852	cmd.exe	reg.exe
PID 852 wrote to memory of 1364	852	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2980 attrib.exe

pid	process
2980	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1.16.5.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4572

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1714553273328.tmp
2⤵
- Views/modifies file attributes
PID:2980

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1714553273328.tmp" /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1714553273328.tmp" /f
3⤵
- Adds Run key to start application
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5444 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
d50fb42eb24e066750638d0e42e35ad4

SHA1
25691c450347c6ed902a05b1653ee2845926e382

SHA256
c7fb27892a8851a31e535778e94d9c78f96f51b10e522b32e5c9568d13102df5

SHA512
578b63edda00fdabc8c220458ffd9ea172bd38e4c6973ae6e3b0a6a0c3de405be1b6cf43dccb9b3a84a67c3ca6cf75b60c9a873837c8df5aea960e2060962015

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1714553273328.tmp
Filesize
639KB

MD5
f03c1b24fdfba7ec585ec71898b42f4e

SHA1
d1a453cb70e52f94386ce3d3009baa675a311004

SHA256
0aa6491b61b2dbbd8e24f13dcfcd795fc62b943fa6ad9441435c673d010a7871

SHA512
1a7cb53978236da109368ca04553ef6c42b77a7ccfa31af0e1491ea592d4db28b3af92fc7c4623c52acc9bacd3e62deef3e2a16296b2d4c4debe6280e49c9807

Download Submit
memory/4616-58-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-129-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-2-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-26-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-12-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-29-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-31-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-36-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-38-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-44-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-46-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-47-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-50-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-53-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-18-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-92-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-17-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-102-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-104-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-108-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download
memory/4616-110-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-111-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-112-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-113-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-114-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-115-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-118-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-120-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-123-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-128-0x000002012C130000-0x000002012D130000-memory.dmp

Filesize
16.0MB

Download
memory/4616-89-0x000002012C110000-0x000002012C111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads