Malware Analysis Report

2025-08-06 00:20

Sample ID 240528-adlsgsgc38
Target VapeClientV4.jar
SHA256 3aa4340a89ef2af875654fc5a3658ff7af9b44acca7fd2fac6e71660689888c5
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3aa4340a89ef2af875654fc5a3658ff7af9b44acca7fd2fac6e71660689888c5

Threat Level: Shows suspicious behavior

The file VapeClientV4.jar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 00:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 00:05

Reported

2024-05-28 00:42

Platform

win7-20240221-en

Max time kernel

1562s

Max time network

1563s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar

Network

N/A

Files

memory/2280-2-0x0000000002590000-0x0000000002800000-memory.dmp

memory/2280-11-0x0000000001C70000-0x0000000001C71000-memory.dmp

memory/2280-12-0x0000000002590000-0x0000000002800000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 00:05

Reported

2024-05-28 00:57

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1799s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1716856026479.tmp" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 1368 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1072 wrote to memory of 1368 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 1072 wrote to memory of 3540 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 1072 wrote to memory of 3540 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 1072 wrote to memory of 2868 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1072 wrote to memory of 2868 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2868 wrote to memory of 4160 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 2868 wrote to memory of 4160 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 5068 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1072 wrote to memory of 5068 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 5068 wrote to memory of 2808 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 5068 wrote to memory of 2808 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 844 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1072 wrote to memory of 844 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 844 wrote to memory of 3608 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 844 wrote to memory of 3608 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f"

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f

C:\Windows\SYSTEM32\cmd.exe

cmd /c ping localhost -n 6 > nul && del C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar

C:\Windows\system32\PING.EXE

ping localhost -n 6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1724,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 europe-door.gl.at.ply.gg udp
US 147.185.221.19:42565 europe-door.gl.at.ply.gg tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/1072-2-0x00000277043E0000-0x0000027704650000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 96e1cd4caf90efc2463abac123b72aee
SHA1 f1a0f0f2bba273fd8e44749a1101d27479ea9f0c
SHA256 d14b97f13c1b2e583a35f04f9babd4e596d9142bb2df91f34eac760097bb30fe
SHA512 746621f448430d6829bd877b0a01f93f98f33973b2b3a27923603b7c8bcf89d66983dce6f36e729285d5884e7400bcba716725e04d74bcd3558ac1182d24374c

memory/1072-16-0x0000027704650000-0x0000027704660000-memory.dmp

memory/1072-18-0x0000027704660000-0x0000027704670000-memory.dmp

memory/1072-25-0x0000027704690000-0x00000277046A0000-memory.dmp

memory/1072-24-0x0000027704680000-0x0000027704690000-memory.dmp

memory/1072-23-0x0000027704670000-0x0000027704680000-memory.dmp

memory/1072-27-0x00000277046A0000-0x00000277046B0000-memory.dmp

memory/1072-28-0x00000277046B0000-0x00000277046C0000-memory.dmp

memory/1072-31-0x00000277046C0000-0x00000277046D0000-memory.dmp

memory/1072-32-0x0000027702B90000-0x0000027702B91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp

MD5 1616e1fecf7e9c204906e5e084f2b811
SHA1 138d8d6ef90147a77b0db1523d968ebd19520ffa
SHA256 3aa4340a89ef2af875654fc5a3658ff7af9b44acca7fd2fac6e71660689888c5
SHA512 4fa42411b681cf11cfc9ef8928d01e49dcbb21ec4fc27d35caecaf6a426740bad21bd70d9e7fd6ad8c057d22dbc4ff9edfc2a8d3961004282a58f592b39de429

memory/1072-36-0x00000277046D0000-0x00000277046E0000-memory.dmp

memory/1072-38-0x00000277046E0000-0x00000277046F0000-memory.dmp

memory/1072-43-0x00000277046F0000-0x0000027704700000-memory.dmp

memory/1072-52-0x0000027704710000-0x0000027704720000-memory.dmp

memory/1072-56-0x0000027704740000-0x0000027704750000-memory.dmp

memory/1072-55-0x0000027704650000-0x0000027704660000-memory.dmp

memory/1072-54-0x0000027704720000-0x0000027704730000-memory.dmp

memory/1072-53-0x0000027704730000-0x0000027704740000-memory.dmp

memory/1072-51-0x0000027704700000-0x0000027704710000-memory.dmp

memory/1072-50-0x00000277043E0000-0x0000027704650000-memory.dmp

memory/1072-59-0x0000027704660000-0x0000027704670000-memory.dmp

memory/1072-62-0x0000027704760000-0x0000027704770000-memory.dmp

memory/1072-66-0x0000027704680000-0x0000027704690000-memory.dmp

memory/1072-72-0x0000027704790000-0x00000277047A0000-memory.dmp

memory/1072-76-0x00000277047A0000-0x00000277047B0000-memory.dmp

memory/1072-75-0x00000277046B0000-0x00000277046C0000-memory.dmp

memory/1072-71-0x00000277046A0000-0x00000277046B0000-memory.dmp

memory/1072-70-0x0000027704780000-0x0000027704790000-memory.dmp

memory/1072-77-0x00000277046C0000-0x00000277046D0000-memory.dmp

memory/1072-78-0x00000277047B0000-0x00000277047C0000-memory.dmp

memory/1072-68-0x0000027704770000-0x0000027704780000-memory.dmp

memory/1072-67-0x0000027704690000-0x00000277046A0000-memory.dmp

memory/1072-65-0x0000027704670000-0x0000027704680000-memory.dmp

memory/1072-60-0x0000027704750000-0x0000027704760000-memory.dmp

memory/1072-82-0x00000277047C0000-0x00000277047D0000-memory.dmp

memory/1072-81-0x00000277046D0000-0x00000277046E0000-memory.dmp

memory/1072-85-0x00000277046E0000-0x00000277046F0000-memory.dmp

memory/1072-86-0x00000277047D0000-0x00000277047E0000-memory.dmp

memory/1072-89-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-90-0x00000277046F0000-0x0000027704700000-memory.dmp

memory/1072-92-0x00000277047E0000-0x00000277047F0000-memory.dmp

memory/1072-91-0x0000027704710000-0x0000027704720000-memory.dmp

memory/1072-97-0x0000027704730000-0x0000027704740000-memory.dmp

memory/1072-98-0x00000277047F0000-0x0000027704800000-memory.dmp

memory/1072-96-0x0000027704700000-0x0000027704710000-memory.dmp

memory/1072-101-0x0000027704720000-0x0000027704730000-memory.dmp

memory/1072-103-0x0000027704800000-0x0000027704810000-memory.dmp

memory/1072-102-0x0000027704740000-0x0000027704750000-memory.dmp

memory/1072-107-0x0000027704810000-0x0000027704820000-memory.dmp

memory/1072-106-0x0000027704780000-0x0000027704790000-memory.dmp

memory/1072-105-0x0000027704760000-0x0000027704770000-memory.dmp

memory/1072-104-0x0000027704750000-0x0000027704760000-memory.dmp

memory/1072-110-0x0000027704820000-0x0000027704830000-memory.dmp

memory/1072-109-0x0000027704770000-0x0000027704780000-memory.dmp

memory/1072-113-0x0000027704790000-0x00000277047A0000-memory.dmp

memory/1072-114-0x0000027704830000-0x0000027704840000-memory.dmp

memory/1072-116-0x00000277047A0000-0x00000277047B0000-memory.dmp

memory/1072-117-0x0000027704840000-0x0000027704850000-memory.dmp

memory/1072-119-0x0000027704850000-0x0000027704860000-memory.dmp

memory/1072-118-0x00000277047B0000-0x00000277047C0000-memory.dmp

memory/1072-126-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-129-0x0000027704860000-0x0000027704870000-memory.dmp

memory/1072-128-0x00000277047C0000-0x00000277047D0000-memory.dmp

memory/1072-133-0x0000027704870000-0x0000027704880000-memory.dmp

memory/1072-132-0x00000277047D0000-0x00000277047E0000-memory.dmp

memory/1072-141-0x0000027704890000-0x00000277048A0000-memory.dmp

memory/1072-140-0x0000027704880000-0x0000027704890000-memory.dmp

memory/1072-139-0x00000277047E0000-0x00000277047F0000-memory.dmp

memory/1072-147-0x00000277047F0000-0x0000027704800000-memory.dmp

memory/1072-148-0x00000277048A0000-0x00000277048B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\imageio3102312804606906963.tmp

MD5 beeae1eddeb8f46bca4b791b0c5d7e5f
SHA1 5402258bafe4a4a88a61ecb4b07d89315167fd2d
SHA256 6ee7b36016e5253c3fb0857f9524a6968928a4abc1767556bcb124e411bb13e0
SHA512 5dcee85c039e6b1be7f8ef5ec4543f9a725d17cd213f1899936b398ba86c1be5f98e4d0828413b989723240fe5c496ad1f448f76233c4a9a5b760b8bd72a48c9

memory/1072-155-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-156-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-161-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-162-0x0000027704800000-0x0000027704810000-memory.dmp

memory/1072-167-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-172-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-173-0x0000027704810000-0x0000027704820000-memory.dmp

memory/1072-174-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-175-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-182-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-189-0x0000027704820000-0x0000027704830000-memory.dmp

memory/1072-194-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-198-0x0000027702B90000-0x0000027702B91000-memory.dmp

memory/1072-199-0x0000027704720000-0x0000027704730000-memory.dmp

memory/1072-200-0x0000027704650000-0x0000027704660000-memory.dmp

memory/1072-201-0x0000027704660000-0x0000027704670000-memory.dmp

memory/1072-202-0x0000027704670000-0x0000027704680000-memory.dmp

memory/1072-203-0x0000027704680000-0x0000027704690000-memory.dmp

memory/1072-204-0x0000027704690000-0x00000277046A0000-memory.dmp

memory/1072-205-0x00000277046A0000-0x00000277046B0000-memory.dmp

memory/1072-210-0x00000277046F0000-0x0000027704700000-memory.dmp

memory/1072-209-0x00000277046E0000-0x00000277046F0000-memory.dmp

memory/1072-208-0x00000277046D0000-0x00000277046E0000-memory.dmp

memory/1072-207-0x00000277046C0000-0x00000277046D0000-memory.dmp

memory/1072-206-0x00000277046B0000-0x00000277046C0000-memory.dmp

memory/1072-211-0x0000027704700000-0x0000027704710000-memory.dmp

memory/1072-212-0x0000027704740000-0x0000027704750000-memory.dmp

memory/1072-213-0x0000027704730000-0x0000027704740000-memory.dmp

memory/1072-214-0x00000277043E0000-0x0000027704650000-memory.dmp

memory/1072-224-0x00000277047D0000-0x00000277047E0000-memory.dmp

memory/1072-223-0x00000277047C0000-0x00000277047D0000-memory.dmp

memory/1072-222-0x00000277047B0000-0x00000277047C0000-memory.dmp

memory/1072-221-0x00000277047A0000-0x00000277047B0000-memory.dmp

memory/1072-220-0x0000027704780000-0x0000027704790000-memory.dmp

memory/1072-219-0x0000027704790000-0x00000277047A0000-memory.dmp

memory/1072-218-0x0000027704770000-0x0000027704780000-memory.dmp

memory/1072-217-0x0000027704760000-0x0000027704770000-memory.dmp

memory/1072-216-0x0000027704750000-0x0000027704760000-memory.dmp

memory/1072-215-0x0000027704710000-0x0000027704720000-memory.dmp