Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 13:57
Static task
static1
Behavioral task
behavioral1
Sample
returns.jar
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
returns.jar
Resource
win10v2004-20240508-en
General
-
Target
returns.jar
-
Size
672KB
-
MD5
e7f87993af6656061d91eb8ac65a2c5e
-
SHA1
197a771526fec5b516c2aabdd196a6b965db222e
-
SHA256
f7b4101d747056be7e23e22de55fe93a77ceac5038e1174db9a023d031c80d34
-
SHA512
6f074fd75e18c64aa5214669dba409a7f043024848c5f949626ff9961035b0ac912fa666a12cf3430ab1899080f056c80b24928e61c44f5688d4c03c0a4d922e
-
SSDEEP
12288:3k2Pvzp0tHr2/qWSITW1t61Qd0OvZm7Yw97dDs7Y+WqE73nJ0QQU8Wg1IGVd2GEJ:U2HNUHr2/vSIif6NomkgKY+bGJgyG+lJ
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3404 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1717077432401.tmp" reg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4460 java.exe 4460 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4460 wrote to memory of 3404 4460 java.exe 83 PID 4460 wrote to memory of 3404 4460 java.exe 83 PID 4460 wrote to memory of 2932 4460 java.exe 88 PID 4460 wrote to memory of 2932 4460 java.exe 88 PID 2932 wrote to memory of 3656 2932 cmd.exe 90 PID 2932 wrote to memory of 3656 2932 cmd.exe 90
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\returns.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:3404
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717077432401.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717077432401.tmp" /f3⤵
- Adds Run key to start application
PID:3656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD57338d7d70115b1e2eb1a9f1aaa06a1e0
SHA1855e068c1b9930348e5da48283e9e3bb71ed10c3
SHA256511c2612564b0244864fde3e87947c6984e5cc100a0106146585dd68002ce3dd
SHA512dd06060e8f2fcd28f184249385a8cbc96018e3ec8ad052a8ae0baaaf3cf072f5a95d971fd02620d14a0d600e8d256ff307fea0542c53d64d5169fdc8a46e8a1e
-
Filesize
639KB
MD5084cfe9ae1e353f656b978eed500189c
SHA1bd770eb43e4915d396aed1010e6d423668d99164
SHA25646f065657f246571a5c9480680efd2cbe38affebd39c90ba36a165a39b93f881
SHA51217936a3c0aa3ab79482d6da66647d8e5774cb67ccd6ef4186e52185c4cf6b5edbed5877f12ca315c03fa2d6add07c667205d69e8584c51134f20d7e171e50131