Analysis
-
max time kernel
1795s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
VapeClientV4.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VapeClientV4.jar
Resource
win10v2004-20240508-en
General
-
Target
VapeClientV4.jar
-
Size
3.1MB
-
MD5
1616e1fecf7e9c204906e5e084f2b811
-
SHA1
138d8d6ef90147a77b0db1523d968ebd19520ffa
-
SHA256
3aa4340a89ef2af875654fc5a3658ff7af9b44acca7fd2fac6e71660689888c5
-
SHA512
4fa42411b681cf11cfc9ef8928d01e49dcbb21ec4fc27d35caecaf6a426740bad21bd70d9e7fd6ad8c057d22dbc4ff9edfc2a8d3961004282a58f592b39de429
-
SSDEEP
98304:DmVE3gfDfndOgR8clG+RZGliA03/GEpDodEgB:DmkgDQqGyEZ0+0opB
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1368 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1716856026479.tmp" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 pastebin.com 14 pastebin.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3608 PING.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1072 java.exe 1072 java.exe 1072 java.exe 1072 java.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1072 wrote to memory of 1368 1072 java.exe 93 PID 1072 wrote to memory of 1368 1072 java.exe 93 PID 1072 wrote to memory of 3540 1072 java.exe 97 PID 1072 wrote to memory of 3540 1072 java.exe 97 PID 1072 wrote to memory of 2868 1072 java.exe 99 PID 1072 wrote to memory of 2868 1072 java.exe 99 PID 2868 wrote to memory of 4160 2868 cmd.exe 101 PID 2868 wrote to memory of 4160 2868 cmd.exe 101 PID 1072 wrote to memory of 5068 1072 java.exe 112 PID 1072 wrote to memory of 5068 1072 java.exe 112 PID 5068 wrote to memory of 2808 5068 cmd.exe 114 PID 5068 wrote to memory of 2808 5068 cmd.exe 114 PID 1072 wrote to memory of 844 1072 java.exe 115 PID 1072 wrote to memory of 844 1072 java.exe 115 PID 844 wrote to memory of 3608 844 cmd.exe 117 PID 844 wrote to memory of 3608 844 cmd.exe 117 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3540 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:1368
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp2⤵
- Views/modifies file attributes
PID:3540
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp" /f3⤵
- Adds Run key to start application
PID:4160
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f"2⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f3⤵PID:2808
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c ping localhost -n 6 > nul && del C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar2⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\PING.EXEping localhost -n 63⤵
- Runs ping.exe
PID:3608
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:81⤵PID:768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1724,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:81⤵PID:3092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD596e1cd4caf90efc2463abac123b72aee
SHA1f1a0f0f2bba273fd8e44749a1101d27479ea9f0c
SHA256d14b97f13c1b2e583a35f04f9babd4e596d9142bb2df91f34eac760097bb30fe
SHA512746621f448430d6829bd877b0a01f93f98f33973b2b3a27923603b7c8bcf89d66983dce6f36e729285d5884e7400bcba716725e04d74bcd3558ac1182d24374c
-
Filesize
22KB
MD5beeae1eddeb8f46bca4b791b0c5d7e5f
SHA15402258bafe4a4a88a61ecb4b07d89315167fd2d
SHA2566ee7b36016e5253c3fb0857f9524a6968928a4abc1767556bcb124e411bb13e0
SHA5125dcee85c039e6b1be7f8ef5ec4543f9a725d17cd213f1899936b398ba86c1be5f98e4d0828413b989723240fe5c496ad1f448f76233c4a9a5b760b8bd72a48c9
-
Filesize
3.1MB
MD51616e1fecf7e9c204906e5e084f2b811
SHA1138d8d6ef90147a77b0db1523d968ebd19520ffa
SHA2563aa4340a89ef2af875654fc5a3658ff7af9b44acca7fd2fac6e71660689888c5
SHA5124fa42411b681cf11cfc9ef8928d01e49dcbb21ec4fc27d35caecaf6a426740bad21bd70d9e7fd6ad8c057d22dbc4ff9edfc2a8d3961004282a58f592b39de429