Analysis Overview
SHA256
3aa4340a89ef2af875654fc5a3658ff7af9b44acca7fd2fac6e71660689888c5
Threat Level: Shows suspicious behavior
The file VapeClientV4.jar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 00:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 00:05
Reported
2024-05-28 00:42
Platform
win7-20240221-en
Max time kernel
1562s
Max time network
1563s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar
Network
Files
memory/2280-2-0x0000000002590000-0x0000000002800000-memory.dmp
memory/2280-11-0x0000000001C70000-0x0000000001C71000-memory.dmp
memory/2280-12-0x0000000002590000-0x0000000002800000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 00:05
Reported
2024-05-28 00:57
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1716856026479.tmp" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f"
C:\Windows\system32\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f
C:\Windows\SYSTEM32\cmd.exe
cmd /c ping localhost -n 6 > nul && del C:\Users\Admin\AppData\Local\Temp\VapeClientV4.jar
C:\Windows\system32\PING.EXE
ping localhost -n 6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1724,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | europe-door.gl.at.ply.gg | udp |
| US | 147.185.221.19:42565 | europe-door.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/1072-2-0x00000277043E0000-0x0000027704650000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 96e1cd4caf90efc2463abac123b72aee |
| SHA1 | f1a0f0f2bba273fd8e44749a1101d27479ea9f0c |
| SHA256 | d14b97f13c1b2e583a35f04f9babd4e596d9142bb2df91f34eac760097bb30fe |
| SHA512 | 746621f448430d6829bd877b0a01f93f98f33973b2b3a27923603b7c8bcf89d66983dce6f36e729285d5884e7400bcba716725e04d74bcd3558ac1182d24374c |
memory/1072-16-0x0000027704650000-0x0000027704660000-memory.dmp
memory/1072-18-0x0000027704660000-0x0000027704670000-memory.dmp
memory/1072-25-0x0000027704690000-0x00000277046A0000-memory.dmp
memory/1072-24-0x0000027704680000-0x0000027704690000-memory.dmp
memory/1072-23-0x0000027704670000-0x0000027704680000-memory.dmp
memory/1072-27-0x00000277046A0000-0x00000277046B0000-memory.dmp
memory/1072-28-0x00000277046B0000-0x00000277046C0000-memory.dmp
memory/1072-31-0x00000277046C0000-0x00000277046D0000-memory.dmp
memory/1072-32-0x0000027702B90000-0x0000027702B91000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716856026479.tmp
| MD5 | 1616e1fecf7e9c204906e5e084f2b811 |
| SHA1 | 138d8d6ef90147a77b0db1523d968ebd19520ffa |
| SHA256 | 3aa4340a89ef2af875654fc5a3658ff7af9b44acca7fd2fac6e71660689888c5 |
| SHA512 | 4fa42411b681cf11cfc9ef8928d01e49dcbb21ec4fc27d35caecaf6a426740bad21bd70d9e7fd6ad8c057d22dbc4ff9edfc2a8d3961004282a58f592b39de429 |
memory/1072-36-0x00000277046D0000-0x00000277046E0000-memory.dmp
memory/1072-38-0x00000277046E0000-0x00000277046F0000-memory.dmp
memory/1072-43-0x00000277046F0000-0x0000027704700000-memory.dmp
memory/1072-52-0x0000027704710000-0x0000027704720000-memory.dmp
memory/1072-56-0x0000027704740000-0x0000027704750000-memory.dmp
memory/1072-55-0x0000027704650000-0x0000027704660000-memory.dmp
memory/1072-54-0x0000027704720000-0x0000027704730000-memory.dmp
memory/1072-53-0x0000027704730000-0x0000027704740000-memory.dmp
memory/1072-51-0x0000027704700000-0x0000027704710000-memory.dmp
memory/1072-50-0x00000277043E0000-0x0000027704650000-memory.dmp
memory/1072-59-0x0000027704660000-0x0000027704670000-memory.dmp
memory/1072-62-0x0000027704760000-0x0000027704770000-memory.dmp
memory/1072-66-0x0000027704680000-0x0000027704690000-memory.dmp
memory/1072-72-0x0000027704790000-0x00000277047A0000-memory.dmp
memory/1072-76-0x00000277047A0000-0x00000277047B0000-memory.dmp
memory/1072-75-0x00000277046B0000-0x00000277046C0000-memory.dmp
memory/1072-71-0x00000277046A0000-0x00000277046B0000-memory.dmp
memory/1072-70-0x0000027704780000-0x0000027704790000-memory.dmp
memory/1072-77-0x00000277046C0000-0x00000277046D0000-memory.dmp
memory/1072-78-0x00000277047B0000-0x00000277047C0000-memory.dmp
memory/1072-68-0x0000027704770000-0x0000027704780000-memory.dmp
memory/1072-67-0x0000027704690000-0x00000277046A0000-memory.dmp
memory/1072-65-0x0000027704670000-0x0000027704680000-memory.dmp
memory/1072-60-0x0000027704750000-0x0000027704760000-memory.dmp
memory/1072-82-0x00000277047C0000-0x00000277047D0000-memory.dmp
memory/1072-81-0x00000277046D0000-0x00000277046E0000-memory.dmp
memory/1072-85-0x00000277046E0000-0x00000277046F0000-memory.dmp
memory/1072-86-0x00000277047D0000-0x00000277047E0000-memory.dmp
memory/1072-89-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-90-0x00000277046F0000-0x0000027704700000-memory.dmp
memory/1072-92-0x00000277047E0000-0x00000277047F0000-memory.dmp
memory/1072-91-0x0000027704710000-0x0000027704720000-memory.dmp
memory/1072-97-0x0000027704730000-0x0000027704740000-memory.dmp
memory/1072-98-0x00000277047F0000-0x0000027704800000-memory.dmp
memory/1072-96-0x0000027704700000-0x0000027704710000-memory.dmp
memory/1072-101-0x0000027704720000-0x0000027704730000-memory.dmp
memory/1072-103-0x0000027704800000-0x0000027704810000-memory.dmp
memory/1072-102-0x0000027704740000-0x0000027704750000-memory.dmp
memory/1072-107-0x0000027704810000-0x0000027704820000-memory.dmp
memory/1072-106-0x0000027704780000-0x0000027704790000-memory.dmp
memory/1072-105-0x0000027704760000-0x0000027704770000-memory.dmp
memory/1072-104-0x0000027704750000-0x0000027704760000-memory.dmp
memory/1072-110-0x0000027704820000-0x0000027704830000-memory.dmp
memory/1072-109-0x0000027704770000-0x0000027704780000-memory.dmp
memory/1072-113-0x0000027704790000-0x00000277047A0000-memory.dmp
memory/1072-114-0x0000027704830000-0x0000027704840000-memory.dmp
memory/1072-116-0x00000277047A0000-0x00000277047B0000-memory.dmp
memory/1072-117-0x0000027704840000-0x0000027704850000-memory.dmp
memory/1072-119-0x0000027704850000-0x0000027704860000-memory.dmp
memory/1072-118-0x00000277047B0000-0x00000277047C0000-memory.dmp
memory/1072-126-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-129-0x0000027704860000-0x0000027704870000-memory.dmp
memory/1072-128-0x00000277047C0000-0x00000277047D0000-memory.dmp
memory/1072-133-0x0000027704870000-0x0000027704880000-memory.dmp
memory/1072-132-0x00000277047D0000-0x00000277047E0000-memory.dmp
memory/1072-141-0x0000027704890000-0x00000277048A0000-memory.dmp
memory/1072-140-0x0000027704880000-0x0000027704890000-memory.dmp
memory/1072-139-0x00000277047E0000-0x00000277047F0000-memory.dmp
memory/1072-147-0x00000277047F0000-0x0000027704800000-memory.dmp
memory/1072-148-0x00000277048A0000-0x00000277048B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\imageio3102312804606906963.tmp
| MD5 | beeae1eddeb8f46bca4b791b0c5d7e5f |
| SHA1 | 5402258bafe4a4a88a61ecb4b07d89315167fd2d |
| SHA256 | 6ee7b36016e5253c3fb0857f9524a6968928a4abc1767556bcb124e411bb13e0 |
| SHA512 | 5dcee85c039e6b1be7f8ef5ec4543f9a725d17cd213f1899936b398ba86c1be5f98e4d0828413b989723240fe5c496ad1f448f76233c4a9a5b760b8bd72a48c9 |
memory/1072-155-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-156-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-161-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-162-0x0000027704800000-0x0000027704810000-memory.dmp
memory/1072-167-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-172-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-173-0x0000027704810000-0x0000027704820000-memory.dmp
memory/1072-174-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-175-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-182-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-189-0x0000027704820000-0x0000027704830000-memory.dmp
memory/1072-194-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-198-0x0000027702B90000-0x0000027702B91000-memory.dmp
memory/1072-199-0x0000027704720000-0x0000027704730000-memory.dmp
memory/1072-200-0x0000027704650000-0x0000027704660000-memory.dmp
memory/1072-201-0x0000027704660000-0x0000027704670000-memory.dmp
memory/1072-202-0x0000027704670000-0x0000027704680000-memory.dmp
memory/1072-203-0x0000027704680000-0x0000027704690000-memory.dmp
memory/1072-204-0x0000027704690000-0x00000277046A0000-memory.dmp
memory/1072-205-0x00000277046A0000-0x00000277046B0000-memory.dmp
memory/1072-210-0x00000277046F0000-0x0000027704700000-memory.dmp
memory/1072-209-0x00000277046E0000-0x00000277046F0000-memory.dmp
memory/1072-208-0x00000277046D0000-0x00000277046E0000-memory.dmp
memory/1072-207-0x00000277046C0000-0x00000277046D0000-memory.dmp
memory/1072-206-0x00000277046B0000-0x00000277046C0000-memory.dmp
memory/1072-211-0x0000027704700000-0x0000027704710000-memory.dmp
memory/1072-212-0x0000027704740000-0x0000027704750000-memory.dmp
memory/1072-213-0x0000027704730000-0x0000027704740000-memory.dmp
memory/1072-214-0x00000277043E0000-0x0000027704650000-memory.dmp
memory/1072-224-0x00000277047D0000-0x00000277047E0000-memory.dmp
memory/1072-223-0x00000277047C0000-0x00000277047D0000-memory.dmp
memory/1072-222-0x00000277047B0000-0x00000277047C0000-memory.dmp
memory/1072-221-0x00000277047A0000-0x00000277047B0000-memory.dmp
memory/1072-220-0x0000027704780000-0x0000027704790000-memory.dmp
memory/1072-219-0x0000027704790000-0x00000277047A0000-memory.dmp
memory/1072-218-0x0000027704770000-0x0000027704780000-memory.dmp
memory/1072-217-0x0000027704760000-0x0000027704770000-memory.dmp
memory/1072-216-0x0000027704750000-0x0000027704760000-memory.dmp
memory/1072-215-0x0000027704710000-0x0000027704720000-memory.dmp