Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 11:46
Static task
static1
Behavioral task
behavioral1
Sample
1.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1.jar
Resource
win10v2004-20240426-en
General
-
Target
1.jar
-
Size
48KB
-
MD5
82592ebfde7fe301ee9a3bd14e79ea71
-
SHA1
07363274a24c63eb10325989cc377435587e8ed5
-
SHA256
508d6f893f07538458fdf64e07d02789280217efbf7144ddce62aad2bf90cdc2
-
SHA512
a399ce77952bb5e4c11c855c820b1803b9ca663c18f3eb5ed5238875fa710db6924e0b734d98d871c27a23a3bfa7d2ce0c6b8e58643ae6225a28998f29fa440a
-
SSDEEP
1536:YarSmry9uv651pAW91i0Q3B6bpLx74oxv:YarSJ9uvmsW91i0ecbz74Q
Malware Config
Extracted
metasploit
windows/reverse_http
http://74.48.220.31:8632/DcTIHAkb/1Q9Al5hrrEDE4cXgoQm6Fg0czya0_1TO2gj2SNkyRMJ-nPV-2Q7lwYfx0yo1Em6ftP82BkL9xndf87LveJ-VVrDZ6OgJgN6b-niS5pLy52oQopR7348MLx5xDu2aNijLl-gsz7J9RcbgJnkc8J_5tuTtHXpWJRhnKwdZw9UP7M-qScr-52RnEiK
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
zNxICWLP.exepid process 4528 zNxICWLP.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
java.exejava.exejava.exedescription pid process target process PID 4092 wrote to memory of 3656 4092 java.exe icacls.exe PID 4092 wrote to memory of 3656 4092 java.exe icacls.exe PID 4092 wrote to memory of 5088 4092 java.exe java.exe PID 4092 wrote to memory of 5088 4092 java.exe java.exe PID 5088 wrote to memory of 4940 5088 java.exe java.exe PID 5088 wrote to memory of 4940 5088 java.exe java.exe PID 4940 wrote to memory of 4528 4940 java.exe zNxICWLP.exe PID 4940 wrote to memory of 4528 4940 java.exe zNxICWLP.exe PID 4940 wrote to memory of 4528 4940 java.exe zNxICWLP.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\1.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn62463778132253767.tmp.dir metasploit.Payload2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn8002907063451268695.tmp.dir metasploit.Payload3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~spawn659622527208658630.tmp.dir\zNxICWLP.exeC:\Users\Admin\AppData\Local\Temp\~spawn659622527208658630.tmp.dir\zNxICWLP.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD5dab7d6b4d3e741a431dafa3960a13355
SHA1fcb372f3aa02b54eee4a4e5942a7c39163ef3484
SHA2564028a4fad61bedae7d89700cbdc47560bc7a292b161e72c50af8d5cc7aa7b7f0
SHA51210f7c5248fc647b131eb3595f89a7c10745d2af6a3b9ba537724ce5c175748a4679b7c0b26f8a48d8c25c5e4bb2bfc62d6cf23e57f41a686f336b71e418f2eed
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD57a1abb0dc8b5abf718856d2aa0f9a1c1
SHA149153477ed385a79f89f389fb5da5a8adce85bb7
SHA2563b84ed1494857e1bddcb227934077d473196cc02ea05d9219b751b76581deae0
SHA512ba8307507f95e6382329d88b01391c19187d16d888b0e98ba067c64e516cfdddf0500b7556a67e88bba6d2ba88b89b0551172950bb63f15ac79cff5cad698f11
-
C:\Users\Admin\AppData\Local\Temp\~spawn62463778132253767.tmp.dir\metasploit.datFilesize
150B
MD519e9d0b283dcdc071eaca05823dbd213
SHA1ab9a0a8a10a8f6a4a29be4d597bc90a36ffa3469
SHA256e7630922f9616d8c5b53ae3ee73375142edf27b5feaf4294b5afa4ad95f9e008
SHA512208ce02f5ab689e9ecb7954971ca586c78a037ea147ad78cf3eb258e7150ab526e2ec59b31843bad9e012f44e2e106493808114213a86daffcdd51ef6efc6d76
-
C:\Users\Admin\AppData\Local\Temp\~spawn62463778132253767.tmp.dir\metasploit\Payload.classFilesize
8KB
MD5e0efce91393df3801df3790996946fb1
SHA1e72ae1cb75b65b46687a44122f609604a88f1134
SHA256f2d768ccb588b5bb61d18769b04c2adcc92ec17ca00032808a1aad8235820c0b
SHA512f8a10b4a88f978f8afa820e626b2d417764477889c7bf6de805fab2cf62ea9d553132e7083fb33929b0b8974c4a7a72720b20d154d7022100c15e0b53e2f784f
-
C:\Users\Admin\AppData\Local\Temp\~spawn659622527208658630.tmp.dir\zNxICWLP.exeFilesize
72KB
MD58ae8af22e928115215835a6ac0c3558f
SHA194d50ae882570f3dc170888cc63401c4578c1856
SHA256e2c54b54fabaaa2203ca11de66f55df067d977d4abc04ed8311f1fda5bb89801
SHA512ec8f8be773646306a93131cc81de41276c2780738ae870c374da817dec98f6351d90918f84b683e6526c0b6ab6ec206b8ef518708cc801b37e6ec1ea154272eb
-
C:\Users\Admin\AppData\Local\Temp\~spawn8002907063451268695.tmp.dir\metasploit.datFilesize
150B
MD5b2ff005d164a40eae3b8a4409dacb89b
SHA16b60b059f0d122a4f976f680c2f7ed3424f5e8ba
SHA256744936acf64f53376ef65f4de7924dfec158c169ee66959af3a5010f525fa43a
SHA5129a69024ed7a01d30c3de20950929d48a5a15d2b1f11938203d14a1d492c266d58442841f84b0381f77060bb985d803c08f781419625ec6886859ca3bcc1f0169
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\83aa4cc77f591dfc2374580bbd95f6ba_a47c70d8-7adc-4ad7-994f-644a8c84c176Filesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
memory/4092-22-0x000002B6CBA50000-0x000002B6CBA51000-memory.dmpFilesize
4KB
-
memory/4092-2-0x000002B6CD220000-0x000002B6CD490000-memory.dmpFilesize
2.4MB
-
memory/4092-60-0x000002B6CBA50000-0x000002B6CBA51000-memory.dmpFilesize
4KB
-
memory/4092-61-0x000002B6CD220000-0x000002B6CD490000-memory.dmpFilesize
2.4MB
-
memory/4940-36-0x0000024953450000-0x00000249536C0000-memory.dmpFilesize
2.4MB
-
memory/4940-51-0x0000024951A70000-0x0000024951A71000-memory.dmpFilesize
4KB
-
memory/4940-53-0x0000024953450000-0x00000249536C0000-memory.dmpFilesize
2.4MB
-
memory/5088-19-0x0000018DE1D00000-0x0000018DE1F70000-memory.dmpFilesize
2.4MB
-
memory/5088-54-0x0000018DE04F0000-0x0000018DE04F1000-memory.dmpFilesize
4KB
-
memory/5088-57-0x0000018DE04F0000-0x0000018DE04F1000-memory.dmpFilesize
4KB
-
memory/5088-58-0x0000018DE1D00000-0x0000018DE1F70000-memory.dmpFilesize
2.4MB