Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 05:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe
-
Size
1.3MB
-
MD5
88ae57b87b9553ad09012e234d02ceac
-
SHA1
6dafdaea23649d4f6e8d9a5ce07b59a531cd101d
-
SHA256
27522bdeff6c73208c4068a84acac7cce6fa352ffa0b2969acaea6271a9fe57c
-
SHA512
944083c2ba00773714655be55782a10a7124ec63ad583d9ee162fe63b70c1b1f2d5d65017d37346f94119be2b7044612583cb9396a1ac6b3945ee98e94c450f4
-
SSDEEP
12288:nMdFv0dk0brhyp7R56xeQrxuHeUBioRvbrj0sL2YoMjZJM8M8M8MG:nM0rhuLQNuHeSl3p3jzM8M8M8MG
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
javaws.exejp2launcher.exepid process 880 javaws.exe 880 javaws.exe 2360 jp2launcher.exe 2360 jp2launcher.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exepid process 4732 2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe 4732 2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exepid process 4732 2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe 4732 2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jp2launcher.exepid process 2360 jp2launcher.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exejavaws.exejp2launcher.exedescription pid process target process PID 4732 wrote to memory of 880 4732 2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe javaws.exe PID 4732 wrote to memory of 880 4732 2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe javaws.exe PID 880 wrote to memory of 2360 880 javaws.exe jp2launcher.exe PID 880 wrote to memory of 2360 880 javaws.exe jp2launcher.exe PID 2360 wrote to memory of 1216 2360 jp2launcher.exe icacls.exe PID 2360 wrote to memory of 1216 2360 jp2launcher.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_88ae57b87b9553ad09012e234d02ceac_mafia.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Program Files\Java\jre-1.8\bin\javaws.exe"C:\Program Files\Java\jre-1.8\bin\javaws.exe" -SSVBaselineUpdate2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGU= -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "\"everyone\":(OI)(CI)M"4⤵
- Modifies file permissions
PID:1216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.propertiesFilesize
713B
MD59703e1fb93c569e2f82df277b782535b
SHA19310f5199f39a2eb70ae87962bac796eeadbaadb
SHA256d77b8ddb496d4b0bd07bdd909ca8271897520a96bb5fef8398b84f18a4f5315e
SHA512372dbce21646f6a1d314b020476031f1229ffc34af04ed9cdb807e0277af790ec60782d2e4409067c865a2afb2afb257bde8801609ec2a07c16a8e45b20392bc
-
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jarFilesize
12KB
MD54f9f42a2c5524bf0ce187c5dcb517b89
SHA1b54ff1e485ee0605753e23f254e288f9a79cc59d
SHA256e271e41f800f3f25e0f9fe212f2e31e6a57b74d28b89fd3425deb42a6a1b411a
SHA51245eb73dae61b6cb855a33966b6c3f1f064a15714761e3075eda105f72adf3780b05dbfbcca75fb47734ca47bb6abe4a1db075d30b1db748ffca11d9928d6cdbc
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
296KB
MD5229a8ab53944737f3fa4dad1b52089de
SHA113e6077d9fa5344f6a3900adcbbcfdf9cd8a7bd1
SHA256915383ce7ac9d1a3eef3bb95a3258cabd898aba8dcd719cd3b9d53a510f8b384
SHA5120f482228f89730400084fa09ee8508f8c979c3d961aab02f3e393f066198e0231dab332b436ee1b235aff3cd1cb813b63d5d9cd32802828082c3d3832540dc25
-
memory/2360-9-0x000001D09D610000-0x000001D09D880000-memory.dmpFilesize
2.4MB
-
memory/2360-27-0x000001D09D5F0000-0x000001D09D5F1000-memory.dmpFilesize
4KB
-
memory/2360-49-0x000001D09D5F0000-0x000001D09D5F1000-memory.dmpFilesize
4KB
-
memory/2360-82-0x000001D09D5F0000-0x000001D09D5F1000-memory.dmpFilesize
4KB
-
memory/2360-126-0x000001D09D5F0000-0x000001D09D5F1000-memory.dmpFilesize
4KB
-
memory/2360-127-0x000001D09D610000-0x000001D09D880000-memory.dmpFilesize
2.4MB