Overview

overview

7

Static

static

1

Akemi-Stealer.jar

windows11-21h2-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/09/2024, 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Akemi-Stealer.jar

  • Size

    11.5MB

  • MD5

    0685bd8a3226e43102507072babd7c8c

  • SHA1

    25732dafbacefb99885e7576fa28137da356433e

  • SHA256

    28ba6cd4e8c4053023eed8ba837053feaac080e2a349a01d6a97f8631010f542

  • SHA512

    d786d735c4e7d4ca5b2c418ffae2614ef3b1c66d741f62d72cdaf142ea4dfa60ba05fc8c789043a8361e1db7e8c81b5b7523b3262ad4b38b30f122777bd193c8

  • SSDEEP

    196608:/Dfl4LDNwL4GTesx7kfUSLjnea56vClC5MZN0Njm8gRq5m51:bfl4vNwv/7jSv3kvqC5Mctt81

Score
7/10
discovery

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Kills process with taskkill 14 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Akemi-Stealer.jar
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SYSTEM32\reg.exe
      reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper
      2⤵
        PID:2892
      • C:\Windows\SYSTEM32\REG.exe
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        2⤵
          PID:1984
        • C:\Windows\SYSTEM32\REG.exe
          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
          2⤵
            PID:1744
          • C:\Windows\System32\Wbem\wmic.exe
            wmic path win32_VideoController get name
            2⤵
            • Detects videocard installed
            • Suspicious use of AdjustPrivilegeToken
            PID:4692
          • C:\Windows\System32\Wbem\wmic.exe
            wmic bios get serialnumber
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1236
          • C:\Windows\SYSTEM32\reg.exe
            reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosVersion
            2⤵
            • Checks BIOS information in registry
            PID:3228
          • C:\Windows\System32\Wbem\wmic.exe
            wmic computersystem get model
            2⤵
              PID:4712
            • C:\Windows\System32\Wbem\wmic.exe
              wmic csproduct get uuid
              2⤵
                PID:1216
              • C:\Windows\SYSTEM32\tasklist.exe
                tasklist
                2⤵
                • Enumerates processes with tasklist
                PID:1248
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM firefox.exe
                2⤵
                • Kills process with taskkill
                PID:2192
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM waterfox.exe
                2⤵
                • Kills process with taskkill
                PID:980
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM msedge.exe
                2⤵
                • Kills process with taskkill
                PID:1416
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM iexplore.exe
                2⤵
                • Kills process with taskkill
                PID:3740
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM chrome.exe
                2⤵
                • Kills process with taskkill
                PID:2780
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM iridium.exe
                2⤵
                • Kills process with taskkill
                PID:2976
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM dragon.exe
                2⤵
                • Kills process with taskkill
                PID:788
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM opera.exe
                2⤵
                • Kills process with taskkill
                PID:3076
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM brave.exe
                2⤵
                • Kills process with taskkill
                PID:4488
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM browser.exe
                2⤵
                • Kills process with taskkill
                PID:1424
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM safari.exe
                2⤵
                • Kills process with taskkill
                PID:4932
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM chromium.exe
                2⤵
                • Kills process with taskkill
                PID:4792
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM pale moon.exe
                2⤵
                • Kills process with taskkill
                PID:3020
              • C:\Windows\SYSTEM32\taskkill.exe
                taskkill /F /IM avant.exe
                2⤵
                • Kills process with taskkill
                PID:2292
              • C:\Windows\System32\Wbem\wmic.exe
                wmic os get /format:list
                2⤵
                  PID:2084
                • C:\Windows\System32\Wbem\wmic.exe
                  wmic os get Caption
                  2⤵
                    PID:3516
                  • C:\Windows\System32\Wbem\wmic.exe
                    wmic path win32_VideoController get name
                    2⤵
                    • Detects videocard installed
                    PID:3652
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4840
                  • C:\Windows\System32\Wbem\wmic.exe
                    wmic bios get serialnumber
                    2⤵
                      PID:1880
                    • C:\Windows\System32\Wbem\wmic.exe
                      wmic csproduct get version
                      2⤵
                        PID:4588
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /create /tn "WindowsUpdater" /tr "javaw -jar C:\Users\Admin\AppData\Roaming\Microsoft\Windows\driver.jar" /sc minute /mo 1 /f
                        2⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:4496
                    • C:\Windows\system32\taskmgr.exe
                      "C:\Windows\system32\taskmgr.exe" /0
                      1⤵
                      • Checks SCSI registry key(s)
                      • Checks processor information in registry
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:4276
                    • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.EXE
                      "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.EXE" -jar C:\Users\Admin\AppData\Roaming\Microsoft\Windows\driver.jar
                      1⤵
                      • Loads dropped DLL
                      • Suspicious use of SetWindowsHookEx
                      PID:4260

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\JNativeHook.x86_64.dll
                      Filesize

                      80KB

                      MD5

                      e9a449971b9efb0a2e12b9cfdd95c076

                      SHA1

                      385777659fa84e94a3812eb9a8afad27ae3ceed4

                      SHA256

                      b8c331c9f915960201da9af9c9dc8309e95e7d533741e71f4a5d13ca007d3e18

                      SHA512

                      bbcaf66b316cb60c63bb190099bee36a0059f13fa35fdf3a9a3e7e9a5304abe57acd71d644cde554427825249b460d58f0aba79f599f0c6fa40d23ea21aa941d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1w0gm4ih.3az.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna1887029736487585205.dll
                      Filesize

                      248KB

                      MD5

                      719d6ba1946c25aa61ce82f90d77ffd5

                      SHA1

                      94d2191378cac5719daecc826fc116816284c406

                      SHA256

                      69c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44

                      SHA512

                      119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\sqlite-3.44.1.0-e5810fde-9ccc-4e1e-8881-e8258bec172c-sqlitejdbc.dll
                      Filesize

                      933KB

                      MD5

                      e1d69e2d6b6b96891a16068b9e4cf439

                      SHA1

                      e32f4dc6dbe9e5cd3a33508757feec9f5d4e198a

                      SHA256

                      393e8faa8231ac4090f4feabecaf2db00c7bff4b2671c685850b36910d694967

                      SHA512

                      1bd0f6d958086b20f37431f043d35637f7a99d4bef442c0092a15799bba66fc622c9f356791fb0a8b8b15fd6d6863bbb0acf1bc70fea8e1be35e0f325e9363e1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3007475212-2160282277-2943627620-1000\83aa4cc77f591dfc2374580bbd95f6ba_4880fff3-ce96-47a8-956d-b60b04225313
                      Filesize

                      45B

                      MD5

                      c8366ae350e7019aefc9d1e6e6a498c6

                      SHA1

                      5731d8a3e6568a5f2dfbbc87e3db9637df280b61

                      SHA256

                      11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

                      SHA512

                      33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\driver.jar
                      Filesize

                      11.5MB

                      MD5

                      0685bd8a3226e43102507072babd7c8c

                      SHA1

                      25732dafbacefb99885e7576fa28137da356433e

                      SHA256

                      28ba6cd4e8c4053023eed8ba837053feaac080e2a349a01d6a97f8631010f542

                      SHA512

                      d786d735c4e7d4ca5b2c418ffae2614ef3b1c66d741f62d72cdaf142ea4dfa60ba05fc8c789043a8361e1db7e8c81b5b7523b3262ad4b38b30f122777bd193c8

                      Download Submit

                    • memory/2336-128-0x00000175FA1D0000-0x00000175FA1D1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2336-2-0x0000017580000000-0x0000017580270000-memory.dmp

                      Filesize

                      2.4MB

                      Download

                    • memory/2336-72-0x00000175FA1D0000-0x00000175FA1D1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2336-61-0x00000175FA1D0000-0x00000175FA1D1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2336-130-0x0000017580000000-0x0000017580270000-memory.dmp

                      Filesize

                      2.4MB

                      Download

                    • memory/2336-129-0x00007FFE9AD90000-0x00007FFE9AE80000-memory.dmp

                      Filesize

                      960KB

                      Download

                    • memory/2336-16-0x00000175FA1D0000-0x00000175FA1D1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2336-47-0x00000175FA1D0000-0x00000175FA1D1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2336-56-0x00000175FA1D0000-0x00000175FA1D1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4260-217-0x000002C0C3170000-0x000002C0C3171000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4260-200-0x000002C0C3170000-0x000002C0C3171000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4260-169-0x000002C0C3170000-0x000002C0C3171000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4260-215-0x000002C0C3170000-0x000002C0C3171000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4260-224-0x000002C0C3170000-0x000002C0C3171000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4260-219-0x000002C0C3170000-0x000002C0C3171000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-143-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-137-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-138-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-139-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-140-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-141-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-142-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-132-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-133-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4276-131-0x000001D2651C0000-0x000001D2651C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4840-104-0x000002A3EE640000-0x000002A3EE662000-memory.dmp

                      Filesize

                      136KB

                      Download