Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 11:46
Static task
static1
Behavioral task
behavioral1
Sample
1.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1.jar
Resource
win10v2004-20240426-en
General
-
Target
1.jar
-
Size
48KB
-
MD5
82592ebfde7fe301ee9a3bd14e79ea71
-
SHA1
07363274a24c63eb10325989cc377435587e8ed5
-
SHA256
508d6f893f07538458fdf64e07d02789280217efbf7144ddce62aad2bf90cdc2
-
SHA512
a399ce77952bb5e4c11c855c820b1803b9ca663c18f3eb5ed5238875fa710db6924e0b734d98d871c27a23a3bfa7d2ce0c6b8e58643ae6225a28998f29fa440a
-
SSDEEP
1536:YarSmry9uv651pAW91i0Q3B6bpLx74oxv:YarSJ9uvmsW91i0ecbz74Q
Malware Config
Extracted
metasploit
windows/reverse_http
http://74.48.220.31:8632/DcTIHAkb/1Q9Al5hrrEDE4cXgoQm6Fg0czya0_1TO2gj2SNkyRMJ-nPV-2Q7lwYfx0yo1Em6ftP82BkL9xndf87LveJ-VVrDZ6OgJgN6b-niS5pLy52oQopR7348MLx5xDu2aNijLl-gsz7J9RcbgJnkc8J_5tuTtHXpWJRhnKwdZw9UP7M-qScr-52RnEiK
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
zNxICWLP.exepid process 2452 zNxICWLP.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
java.exejava.exejava.exedescription pid process target process PID 2272 wrote to memory of 2564 2272 java.exe java.exe PID 2272 wrote to memory of 2564 2272 java.exe java.exe PID 2272 wrote to memory of 2564 2272 java.exe java.exe PID 2564 wrote to memory of 2576 2564 java.exe java.exe PID 2564 wrote to memory of 2576 2564 java.exe java.exe PID 2564 wrote to memory of 2576 2564 java.exe java.exe PID 2576 wrote to memory of 2452 2576 java.exe zNxICWLP.exe PID 2576 wrote to memory of 2452 2576 java.exe zNxICWLP.exe PID 2576 wrote to memory of 2452 2576 java.exe zNxICWLP.exe PID 2576 wrote to memory of 2452 2576 java.exe zNxICWLP.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\1.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn4086140395569055857.tmp.dir metasploit.Payload2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn4962602422807101034.tmp.dir metasploit.Payload3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~spawn3626791245550091311.tmp.dir\zNxICWLP.exeC:\Users\Admin\AppData\Local\Temp\~spawn3626791245550091311.tmp.dir\zNxICWLP.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~spawn3626791245550091311.tmp.dir\zNxICWLP.exeFilesize
72KB
MD58ae8af22e928115215835a6ac0c3558f
SHA194d50ae882570f3dc170888cc63401c4578c1856
SHA256e2c54b54fabaaa2203ca11de66f55df067d977d4abc04ed8311f1fda5bb89801
SHA512ec8f8be773646306a93131cc81de41276c2780738ae870c374da817dec98f6351d90918f84b683e6526c0b6ab6ec206b8ef518708cc801b37e6ec1ea154272eb
-
C:\Users\Admin\AppData\Local\Temp\~spawn4086140395569055857.tmp.dir\metasploit.datFilesize
151B
MD514236e75576e2bf553c869d9cd0e2b5d
SHA1a318c406ddb0d8938e2778aa616df885f130973d
SHA256b3033e1803009e85f569fe9002647313e74c16cd47dc78819c2e10326e218d21
SHA512eac2103173e5bbae8881a6c1fbff69b2a3c1ff0aa40bce6b0c9cf1c8e5c1479e19ecca20a9ccd90146001a2d57104bf843ee2ee63e6df60ee26c880c9428c02c
-
C:\Users\Admin\AppData\Local\Temp\~spawn4086140395569055857.tmp.dir\metasploit\Payload.classFilesize
8KB
MD5e0efce91393df3801df3790996946fb1
SHA1e72ae1cb75b65b46687a44122f609604a88f1134
SHA256f2d768ccb588b5bb61d18769b04c2adcc92ec17ca00032808a1aad8235820c0b
SHA512f8a10b4a88f978f8afa820e626b2d417764477889c7bf6de805fab2cf62ea9d553132e7083fb33929b0b8974c4a7a72720b20d154d7022100c15e0b53e2f784f
-
C:\Users\Admin\AppData\Local\Temp\~spawn4962602422807101034.tmp.dir\metasploit.datFilesize
151B
MD58669709de6a11fa101a68e1be3160907
SHA1590a635c6fe810a86ccdec46fa22bf64a5be80f5
SHA2568405dd5c9e558609cadc3cc110646b75fbe1a4eafde3a85749b05fa0210a3858
SHA51298a2787afe9fb6a89e50818e3dc0f93249932fd19f5d203685e14cdfb4a16f8d110b85cacc17358aa144ac72a01cca9c18f8dcb394d7a8336a180d29342b502a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\83aa4cc77f591dfc2374580bbd95f6ba_ad04ce47-83ca-4cca-a79e-77cdc80ce41eFilesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
memory/2272-2-0x0000000002630000-0x00000000028A0000-memory.dmpFilesize
2.4MB
-
memory/2272-52-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/2272-53-0x0000000002630000-0x00000000028A0000-memory.dmpFilesize
2.4MB
-
memory/2452-46-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2564-19-0x0000000002600000-0x0000000002870000-memory.dmpFilesize
2.4MB
-
memory/2564-49-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2564-50-0x0000000002600000-0x0000000002870000-memory.dmpFilesize
2.4MB
-
memory/2576-32-0x00000000026B0000-0x0000000002920000-memory.dmpFilesize
2.4MB
-
memory/2576-45-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/2576-47-0x00000000026B0000-0x0000000002920000-memory.dmpFilesize
2.4MB