hxxps://cdn[.]discordapp[.]com/attachments/1171570714717978697/1243726566673092619/SharksMod_1[.]19[.]_2_2[.]1[.]jar?ex=66532ee0&is=6651dd60&hm=75780266c7ebe1276d1cccb03c286d9f7a84e0e97697ed2434b3a92e6cd02a46&

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25-05-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1171570714717978697/1243726566673092619/SharksMod_1.19._2_2.1.jar?ex=66532ee0&is=6651dd60&hm=75780266c7ebe1276d1cccb03c286d9f7a84e0e97697ed2434b3a92e6cd02a46&

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611318352142136"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SharksMod_1.19._2_2.1.jar:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3544	chrome.exe
3544	chrome.exe
244	chrome.exe
244	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3544	chrome.exe
3544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe
Token: SeShutdownPrivilege	3544	chrome.exe
Token: SeCreatePagefilePrivilege	3544	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3448	3544	chrome.exe	80
PID 3544 wrote to memory of 3448	3544	chrome.exe	80
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 3492	3544	chrome.exe	81
PID 3544 wrote to memory of 2252	3544	chrome.exe	82
PID 3544 wrote to memory of 2252	3544	chrome.exe	82
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83
PID 3544 wrote to memory of 4872	3544	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1171570714717978697/1243726566673092619/SharksMod_1.19._2_2.1.jar?ex=66532ee0&is=6651dd60&hm=75780266c7ebe1276d1cccb03c286d9f7a84e0e97697ed2434b3a92e6cd02a46&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff837c1ab58,0x7ff837c1ab68,0x7ff837c1ab78
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1508 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:2
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2056 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4292 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1468 --field-trial-handle=1776,i,5780163677719666247,9726094534842043551,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:244

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\34ebf6b2-4e32-4ddd-9ea3-5d83b3d04d6c.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
90987c6b426f9807f7326db7492fe189

SHA1
f3dddd861a56b99bd101412fbac17d7ad80b5bdf

SHA256
35ab4df730cfb8c664487aff347a6a9e06301d2f94f567550d37b992a6adeb57

SHA512
97cd668831e5ef03b2b17722d804334382a081a138cbb6a14e2f94c21cc2f4f72aea58b8788b66e5b5d534a04d1d1baaf3bbd62906ae0380fb670662db06c10e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
715cd59b5cab156da3a7f457b0554eaa

SHA1
a39ebae099e730a21ba552afc1f8b414b6954b9d

SHA256
fdd8aa992359210b0081116c2f302a90803f5fafb0c94682e67f9b2d5de283f3

SHA512
6be0c43209495b3ed5e6e20b7742877e191aec2d44c9be6b44653928905efb32f240703211e66816618b328ad2aa1ef5e5c08063e562e656839774fd4519a71d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
f7ee4f7c427da4f134227de3b419af56

SHA1
cd33d95b1fa40b426f03fa61dadb08240c77acbc

SHA256
37e6a305470644efe5f7c668c7d40d3d18a45e1e56921bb9ebcd0a2711d51d0c

SHA512
f1530e754f715acc1269181bdaa7e49b4cb5e3132c8c5b62302832ef85add3dea74658bdf2f0f93f10884d430ed33e1ead5585685984d63c957ff600ba0bf3a5

Download Submit
C:\Users\Admin\Downloads\SharksMod_1.19._2_2.1.jar

Filesize
109KB

MD5
25ffb2094a4b299d4de3075d3cd78978

SHA1
69e6e3f34a17f3c9f119ed9a8ea258a8de36472a

SHA256
94a8ae40c7decbb11c0770c63f906cfbb55ed05e3d1eaea2ab0a6c4ec0fd31f2

SHA512
fa0186e0f9e30deaad8e0e520897ecc11b7239c058007b09b8f49735fd46442634c6b53044a8711fdcf9d1d9a1de13e9510abc2ef799da60680cad1cc49f60fe

Download Submit
C:\Users\Admin\Downloads\SharksMod_1.19._2_2.1.jar:Zone.Identifier

Filesize
233B

MD5
930a9393e27b60ab3fb043b753bdf811

SHA1
7bb9652aed7d2e4898752bfe9d33f928541fdf22

SHA256
7c3a17d6f6e0809907276b15a4c2987813778ebfa5d6aa9f730e2a6d78f29048

SHA512
4f26585b4997c8062d9573f89a6934bbf2cc36c203940a8d7ac2c327543947a31b2ed31e4c335eda6cad2380b5e569c2ff948c0eef0106c98c0f702f13d1a89b

Download Submit