Malware Analysis Report

2024-11-13 13:30

Sample ID 240604-bqck1sgb6z
Target earthhack-fabric-1.0.1.jar
SHA256 cf7ac87b097ca8b7f04c1b0e76c23258534b8d9c4af44b9b9af9c4c1ec372408
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cf7ac87b097ca8b7f04c1b0e76c23258534b8d9c4af44b9b9af9c4c1ec372408

Threat Level: Shows suspicious behavior

The file earthhack-fabric-1.0.1.jar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:20

Reported

2024-06-04 01:22

Platform

win7-20240221-en

Max time kernel

1s

Max time network

6s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\earthhack-fabric-1.0.1.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\earthhack-fabric-1.0.1.jar

Network

N/A

Files

memory/1908-2-0x00000000021B0000-0x0000000002420000-memory.dmp

memory/1908-10-0x0000000001D60000-0x0000000001D61000-memory.dmp

memory/1908-11-0x00000000021B0000-0x0000000002420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:20

Reported

2024-06-04 01:22

Platform

win10v2004-20240508-en

Max time kernel

33s

Max time network

33s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\earthhack-fabric-1.0.1.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 3936 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 548 wrote to memory of 3936 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\earthhack-fabric-1.0.1.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/548-2-0x0000011318610000-0x0000011318880000-memory.dmp

memory/548-11-0x00000113185F0000-0x00000113185F1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 dd65143d19762cbb04cdb62d1c71fc0f
SHA1 73f88959efcffb54cb2d48f92bd5f5acd34e3c0b
SHA256 015cdb63b6ad37c35cb8dabdb1b38f4bcb0e8ffb087602b4086ca38b8a4de242
SHA512 2eefe6edc44243cf52527cb1f2ef2dc59241194ba5f4196bc5030f41c4f77c8d636dc161c6cad8198e5b6b0ab7c3e47f0db855b33dea27152fc6d41187a04dfe

memory/548-13-0x0000011318610000-0x0000011318880000-memory.dmp