31ee8b1f5a729087bfcd58265b4558d9c382736e74934a18200756ac672f6005

Analysis

max time kernel
133s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
02/05/2024, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lib/jphp-runtime.jar
Size

1.1MB
MD5

d5ef47c915bef65a63d364f5cf7cd467
SHA1

f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256

9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512

04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8
SSDEEP

24576:cP4MBZrpGi4exQ9qdXVd/F/3yy7mgviLzIM:czHMi4eKCd/BzaLcM

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4072	icacls.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4072	2060	java.exe	80
PID 2060 wrote to memory of 4072	2060	java.exe	80

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\lib\jphp-runtime.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
db3475755fc277b5daaeb075220ae478

SHA1
4ca13af3e1feca22bd0ca21091541a9b8278bc7f

SHA256
5611448c3b8e7511d988fa8bdc36b452142e585e3961de197997b0c3eafbd816

SHA512
1d5e139324a5e1f49566a1665a6956fcd63070633288e7e12ef72e1fc3e7a246e256b019dee538f00ac5f43daed1f85688cdb84e6f3ccbc109dd222295809783

Download Submit
memory/2060-2-0x00000259E33A0000-0x00000259E3610000-memory.dmp

Filesize
2.4MB

Download
memory/2060-11-0x00000259E1AF0000-0x00000259E1AF1000-memory.dmp

Filesize
4KB

Download
memory/2060-13-0x00000259E33A0000-0x00000259E3610000-memory.dmp

Filesize
2.4MB

Download