Overview

overview

8

Static

static

1

Burpy-main.zip

windows7-x64

1

Burpy-main.zip

windows10-2004-x64

1

Burpy-main...en.jar

windows7-x64

1

Burpy-main...en.jar

windows10-2004-x64

7

Burpy-main...tup.sh

ubuntu-18.04-amd64

3

Burpy-main...tup.sh

debian-9-armhf

4

Burpy-main...tup.sh

debian-9-mips

7

Burpy-main...tup.sh

debian-9-mipsel

7

Burpy-main...up.ps1

windows7-x64

3

Burpy-main...up.ps1

windows10-2004-x64

8

Burpy-main...pro.sh

ubuntu-18.04-amd64

1

Burpy-main...pro.sh

debian-9-armhf

1

Burpy-main...pro.sh

debian-9-mips

1

Burpy-main...pro.sh

debian-9-mipsel

1

Burpy-main/keygen.jar

windows7-x64

1

Burpy-main/keygen.jar

windows10-2004-x64

7

Burpy-main/loader.jar

windows7-x64

1

Burpy-main/loader.jar

windows10-2004-x64

7

Analysis

  • max time kernel
    126s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Burpy-main/Windows_setup.ps1

  • Size

    4KB

  • MD5

    74f29e4d8a32cc05bcf2c178776bd474

  • SHA1

    d12b722495c870c3d14f0bf63bea982327aab47b

  • SHA256

    8425f0551e0370598a2971d6d1643ea66a46120e0091bc780cd4f2796dd1b0ba

  • SHA512

    57ebd2f8389e093d6253a13c5b55d311e890f80c998cd44d177711ebafe878c734db42b7603db2f308c9f57415ba7d885db23540ab9f8ba649f8966cfc017f7d

  • SSDEEP

    96:HBDJa7Cc0SN5Hghz2P02RuPUeLbk7lfPQ5P02RutZn:dj7SjAhGeLMlnQLsZn

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 40 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 34 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 14 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Burpy-main\Windows_setup.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Users\Admin\AppData\Local\Temp\Burpy-main\jdk-19.exe
      "C:\Users\Admin\AppData\Local\Temp\Burpy-main\jdk-19.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Admin\AppData\Local\Temp\jds240625390.tmp\jdk-19.exe
        "C:\Users\Admin\AppData\Local\Temp\jds240625390.tmp\jdk-19.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\System32\msiexec.exe
          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk19.0.2_x64\jdk19.0.264.msi" WRAPPER=1
          4⤵
          • Blocklisted process makes network request
          • Enumerates connected drives
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:3264
    • C:\Program Files\Common Files\Oracle\Java\javapath\java.exe
      "C:\Program Files\Common Files\Oracle\Java\javapath\java.exe" -jar New-loader.jar
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Program Files\Java\jdk-19\bin\java.exe
        "C:\Program Files\Java\jdk-19\bin\java.exe" -jar New-loader.jar
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3872
    • C:\Program Files\Common Files\Oracle\Java\javapath\java.exe
      "C:\Program Files\Common Files\Oracle\Java\javapath\java.exe" --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED -javaagent:New-loader.jar -noverify -jar burpsuite_pro.jar
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Program Files\Java\jdk-19\bin\java.exe
        "C:\Program Files\Java\jdk-19\bin\java.exe" --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED -javaagent:New-loader.jar -noverify -jar burpsuite_pro.jar
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4896
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 31C8DF051237712B10A1E08D38249F80 C
      2⤵
      • Loads dropped DLL
      PID:1408
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2444
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 480E49546A7808D2BD7191B708E50506
        2⤵
        • Loads dropped DLL
        PID:2944
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 2691E32491690FA22791D931520810B5 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:4112
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5807fb.rbs
      Filesize

      10KB

      MD5

      2c46315d44449fc432d55619bbdcb6cc

      SHA1

      6104b71ff3c95e97186528c155b5a597bd543406

      SHA256

      2c948c6ee6689e4c1ce712cb2e81ffc390168fdcd5489ab59c9a9631bbaa919d

      SHA512

      6da4af621779ba932c13f396a3b249d30ce3271c9b66b8d238d49d727b7c2f6baa0d494b725ccd6cfc5b5ff062c09145fbaa6f4fe251133bb9198635896cfb73

      Download Submit

    • C:\Program Files\Java\jdk-19\LICENSE
      Filesize

      6KB

      MD5

      7369866495acb2d7e57397f06a3ab0ba

      SHA1

      e75e828ba2898c74b4a682ce5291a69acf9cc55a

      SHA256

      4d156eecbf6ca462d8cf772552fff874b167f87def9566837fb8e4fb347f29a5

      SHA512

      6c1ae5229953259a258bf140241afa9dc50b642dbb5a11c183c8920678292266aecc26dd1254c3ce9184fe08c3068e2183a694a9a06f5972cc535015461ff825

      Download Submit

    • C:\Program Files\Java\jdk-19\bin\windowsaccessbridge-64.dll
      Filesize

      71KB

      MD5

      d0f2ded56013e0f7beff01e7955d980c

      SHA1

      2c27d8f6bffa6ee538a43daba9cb0fac07abb146

      SHA256

      0a6b0bca5086994476cac894dc945eee43ede4e2f266435b5c812db54fec06f9

      SHA512

      19803c8222f3923d2813187198e79a4d8f35622694a3a36a5c5f43f9cde397f8fdfdd54293dd909897dd56712befe51263cbeb21afb8a390c01410fe0446ff74

      Download Submit

    • C:\Program Files\Java\jdk-19\legal\java.logging\COPYRIGHT
      Filesize

      35B

      MD5

      4586c3797f538d41b7b2e30e8afebbc9

      SHA1

      3419ebac878fa53a9f0ff1617045ddaafb43dce0

      SHA256

      7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

      SHA512

      f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

      Download Submit

    • C:\Program Files\Java\jdk-19\legal\java.logging\LICENSE
      Filesize

      33B

      MD5

      16989bab922811e28b64ac30449a5d05

      SHA1

      51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

      SHA256

      86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

      SHA512

      86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63
      Filesize

      727B

      MD5

      8c4490bfed0c55aad8293c94b0798275

      SHA1

      02520f22bba6701cba5b08c8010cb3d6437b9c5e

      SHA256

      93b6267ebf74cfb0aa57ef3380931f530f6a36c5f2f7df673fbe259cb8a2f01a

      SHA512

      5674de30201161d51b50ff697a2443b8f2363f60d34cb2e488100087c8b548cc4b8b2412516512d30ae3814cc18e71a876c9b07b0e0ad59d02871af55ac964c6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63
      Filesize

      404B

      MD5

      f1cf94bebc863875ddfae91cc46ac7ab

      SHA1

      018ebaa0d665edb5b3ac6901b96786b3ecef8192

      SHA256

      a23d76d7aec5f9832bbcd9eb8e9bfbf89c6cad00bd566176f29604787d18afc8

      SHA512

      3f66f7d242879e4ca1a6770388d8f220e7928581de372ed30b9aae41e1c682b49525947c1c265904f0450d4b4b8e2fd1e914b36b022794d654c88f201e045766

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log
      Filesize

      1KB

      MD5

      fe68e8d1bd0089533d36b5c34c4557c0

      SHA1

      0f3336d65d90224b5a6b73acc78e4ccffcb495ad

      SHA256

      b34819e94ccceab4006afde60438a1059c09914db563b3c486348ad8b03772e3

      SHA512

      db3f049768ab92a5df7fb761a6215a16b815986fcbf78a2882644c5eb8ffcb2f3fe98c42ec10c3bf11a113705d60f22cd3ae77ac1b254de6e157d0d13e4a2207

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log
      Filesize

      3KB

      MD5

      0074575066943ea1bcc85321e49e4049

      SHA1

      90791984351480950320f31b035ab17fbce02e5f

      SHA256

      369c152268d4075a533407860505c9d029805ac2629b84aa84d0aefbe04e2c1e

      SHA512

      6de3400ba0a38d5d6869add3217d9ace983f0acb3d5ace5fc9519b28598f58399d6eb1e900f39451a2d754720a717e2f6e632d48d8824f8afe792d21dca14dc3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log
      Filesize

      4KB

      MD5

      4cecfd7fef407cf2482bff15beed8e4b

      SHA1

      d99b44dc282f9458eab50d9c2b2b6d10c70c9026

      SHA256

      13c8534c523aa4f912ca22b329f18b1df248c743505074d000ec59e2e650e547

      SHA512

      e66d880727011e2cf7683738e2a88c2fc1abe966ac0d13db00f88e8c0c59a724db802a689ca19f9cfc644c49e97571eeea0ebe725edb02dd44e6e8135fb33e58

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIB6DC.tmp
      Filesize

      894KB

      MD5

      d849eed8fef39365cb0987f2c3d1c26f

      SHA1

      25ad42230ba2d0f163649f560ec09250d60f263c

      SHA256

      9ffced196504a78813600ad96108f45ed4667c13dc0ea545b0444d923b871650

      SHA512

      8b418c1f71c6d9b8c922d1634258132a0cc280ff90272b042cbfcea67c8576bb8db38a595fe27d65e90275d9e5d52c8dd5bbdff52e71c5d5f7e576685352184b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_soc2mfzr.gvy.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jusched.log
      Filesize

      309KB

      MD5

      30913a952586800916d6a591c05069f1

      SHA1

      2b76940dc107bf7a093c60fa45fa5514f5c02bea

      SHA256

      d227f2f58a898f27ed47818fc83d4851659146491cc30228e368ebc762b58e8c

      SHA512

      71f0cd94bc59d7d6ed61711ecc7527d03d527e3073e9861445d118caf4443aa0f76849006661634926a3e7cba32508b0e6d0b4516cddb43791f77b99951320d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jusched.log
      Filesize

      313KB

      MD5

      d85baccf3add1c404f8d30ba284c5fe4

      SHA1

      a3183d1f96742058503a3ada2953f36c97272834

      SHA256

      75e72823c8e8bd2e6af57a3e7a3dcc481412ff3bbc2a67ab2a368233aeb32825

      SHA512

      34a8b7a9311ba03142cf87ac97df7ff32ca77b3bb6f3557a384785dcfda1bb865cbe1d16e04988275648c91c0021595c65f752ae2a5baeb0fa025dd720da4b57

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jusched.log
      Filesize

      314KB

      MD5

      ae46cafe672175bd3afbe8b7429de45e

      SHA1

      88b9af10c737e698cbcdfadc29c38c2fc1a94a84

      SHA256

      97ed9a8db17275b9d2104d02a9da3d6f3bc63226d1011f2c547039676f813e4f

      SHA512

      4c4e196cf16dd46a8688f2877ec88b1d3b25d925dbf8c2b0b83e8e4a2e092ce49558c8db1502e7fe60e367a960dc48d007dc7e5749d6f80fa5450b47ca9db4c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jusched.log
      Filesize

      296KB

      MD5

      5179c3d3e17d3d3975f24b06dd0d8ea3

      SHA1

      78aa176a93556d30a55d4471fdb518c26543a832

      SHA256

      3c05bc2cac7afc497531dc1cb068d947e6af1a496a5a931b787d7a8a76d46b36

      SHA512

      92a8a969a39db7559cd6ba46e80f6e3d39328ed6c05f16dbbb7097713822d45eec42d21ba09233996573f2a8c617c38f13ceba65656e59a4e0dcf57466826ef5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jusched.log
      Filesize

      302KB

      MD5

      8daec50c08a0be5d3fa75b54e6e5cfe8

      SHA1

      a9a2b7568f1c4ffe6ba1448333bd18e3514a0ca5

      SHA256

      c6ddffc17613426f7d783af8b241a7f6df5b66d4fd6a613867d6ade68b719515

      SHA512

      8ec4d50b97f2522fbe0e0986125e4adee623196ebee44d9ac04a9890278acb7cd58ec9a6ab9656c9884d3d76b559ee5739f5ddaa49829571ddf6a0b32d3ee157

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      632d49aeee73014f9b3750c48335dab7

      SHA1

      1d6d680f2ded524095b8cfdbfe8c54aa4cc37639

      SHA256

      4b4f6b573be265ef4752c101429fe3366e45c9ea9c01c36a456db8a1b377670d

      SHA512

      847926ea2260e8db554699a898109fc27a9d1cfbcb8261c578e125ad98d07447cf343d1c5a5e0dd546c5d437433cb09a19c69b738ee4903a649cb6549d431c7f

      Download Submit

    • \??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{11936229-61f0-4fb3-b5d1-323cc8dbb547}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      937dddee0e58d38d5ecef9b71e97a78d

      SHA1

      cec08947553e57e3673d1327309b1d8746998bf4

      SHA256

      2c752915bed704e8e87f4898e15fe86638b30b5e5584c05dbbf82df87f4509a8

      SHA512

      71a537f3087aa5712e91ca458d559454d96600a16a527e60054c3432c868da8d746e195e2bc538af6f9ace07d01dd5c4752f2b2e55bafa989cb25dd1347bc720

      Download Submit

    • memory/3136-127-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3136-126-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3136-99-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3136-0-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3136-12-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3136-11-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3136-3-0x000001C37D6F0000-0x000001C37D712000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3136-955-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

      Filesize

      10.8MB

      Download