dynamicrat | 287e892aeb4be05c881e19da227d0398cd321d5a9af837932c12dfaab641b4cb

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185.jar
Size

14.5MB
MD5

29fd6772aafb08c90b1ff9a91f48ecff
SHA1

39628a8412e0a14126da2bfa5fbe7af5069e1eec
SHA256

287e892aeb4be05c881e19da227d0398cd321d5a9af837932c12dfaab641b4cb
SHA512

4d75584621d843d16ed97986e123be2751478e8047ac43a8a722daa3a548a2833293f0cc86ae9c229b4a2df2ae9a69e7e3ce3333da3696c48a4712d52950173e
SSDEEP

393216:hU+MrvMUXlIm0QEiK4JISelo4pOT0w03Bl:hSIelIvgJYlIIF3/

Score

10^/10

dynamicrat discovery persistence privilege_escalation rat

Malware Config

Signatures

Dynamic RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ac54-102.dat	family_dynamicrat

DynamicRat
DynamicRat is a remote access trojan malware written in Java.
rat dynamicrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jre-8u371-windows-x64.jar	javaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jre-8u371-windows-x64.jar	javaw.exe

Loads dropped DLL 3 IoCs

pid	Process
1260	java.exe
4492	javaw.exe
4492	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1916	icacls.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4492	javaw.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1260	java.exe
1260	java.exe
1260	java.exe
1260	java.exe
4492	javaw.exe
4492	javaw.exe
4492	javaw.exe
4492	javaw.exe
4492	javaw.exe
4492	javaw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1916	1260	java.exe	74
PID 1260 wrote to memory of 1916	1260	java.exe	74
PID 1260 wrote to memory of 4492	1260	java.exe	76
PID 1260 wrote to memory of 4492	1260	java.exe	76
PID 4492 wrote to memory of 4308	4492	javaw.exe	77
PID 4492 wrote to memory of 4308	4492	javaw.exe	77
PID 4492 wrote to memory of 2072	4492	javaw.exe	79
PID 4492 wrote to memory of 2072	4492	javaw.exe	79

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\185.jar
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1916
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw" -jar "C:\Users\Admin\AppData\Local\Temp\m17281388413128031215267446672284.tmp" DELAY:3
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4308
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
0c76e8aaf75fe20df66848720039664d

SHA1
553ba696c52c17352fc6e262a5a7d22ffe40bc1f

SHA256
ec99091cc62229be41654917f84562e22fa1c467402f1e1c8670ecb3014b4e67

SHA512
e82736dbd0d3d6e1e1ae031430681c72e96ca3608d3cbf597802204c067495c0433e803601a6d917326dcb05cbd865e0cf686b4e64625ba11402a1cc37997dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\m17281388413128031215267446672284.tmp

Filesize
13.9MB

MD5
a74e3a679307d0c527f75e471229a6b0

SHA1
aea3fe7535be76a64ad06292dae50595abf5e3a8

SHA256
cc1f7f46569c47b6aaf3000374073e30f92350b876d69bc02771664fa5212014

SHA512
bfd7c2ea7e31b404d70d68e21f3e597cc8a548be4ecc745a795106fa946f15b67636598a8c78fc8f8d7e1bbe226982cabbfc8169cbe20d2548ca7478589d018d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3968772205-1713802336-1776639840-1000\83aa4cc77f591dfc2374580bbd95f6ba_f4fe33a0-f73d-4d5c-8730-deeef20ef238

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
\Users\Admin\AppData\Local\Temp\JNativeHook-385777659FA84E94A3812EB9A8AFAD27AE3CEED4.x86_64.dll

Filesize
80KB

MD5
e9a449971b9efb0a2e12b9cfdd95c076

SHA1
385777659fa84e94a3812eb9a8afad27ae3ceed4

SHA256
b8c331c9f915960201da9af9c9dc8309e95e7d533741e71f4a5d13ca007d3e18

SHA512
bbcaf66b316cb60c63bb190099bee36a0059f13fa35fdf3a9a3e7e9a5304abe57acd71d644cde554427825249b460d58f0aba79f599f0c6fa40d23ea21aa941d

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna7415733984974618982.dll

Filesize
248KB

MD5
4de85f9679c3a75f6d7d3e56094aa106

SHA1
052f62fb2ebec89fbe412db480865910eab693ad

SHA256
3d1b2427b45ff5178bbb4db395758bedd3a1e91121ebb3e3640b5c4e20eb22cc

SHA512
e8357eabd548ffeba42715d891b9e1ed22b7bf720f48b1888407b9ebe7a796719c60a38f4fb8bb1cf32d3c9bed210a07cc227424ef991d356ec3acef9e6223ab

Download Submit
memory/1260-98-0x000001D00B6E0000-0x000001D00B6F0000-memory.dmp

Filesize
64KB

Download
memory/1260-99-0x000001D00B780000-0x000001D00B790000-memory.dmp

Filesize
64KB

Download
memory/1260-20-0x000001D00B610000-0x000001D00B620000-memory.dmp

Filesize
64KB

Download
memory/1260-22-0x000001D00B620000-0x000001D00B630000-memory.dmp

Filesize
64KB

Download
memory/1260-24-0x000001D00B630000-0x000001D00B640000-memory.dmp

Filesize
64KB

Download
memory/1260-26-0x000001D00B640000-0x000001D00B650000-memory.dmp

Filesize
64KB

Download
memory/1260-29-0x000001D00B650000-0x000001D00B660000-memory.dmp

Filesize
64KB

Download
memory/1260-30-0x000001D00B660000-0x000001D00B670000-memory.dmp

Filesize
64KB

Download
memory/1260-32-0x000001D00B670000-0x000001D00B680000-memory.dmp

Filesize
64KB

Download
memory/1260-34-0x000001D00B680000-0x000001D00B690000-memory.dmp

Filesize
64KB

Download
memory/1260-39-0x000001D00B390000-0x000001D00B600000-memory.dmp

Filesize
2.4MB

Download
memory/1260-44-0x000001D00B600000-0x000001D00B610000-memory.dmp

Filesize
64KB

Download
memory/1260-43-0x000001D00B6A0000-0x000001D00B6B0000-memory.dmp

Filesize
64KB

Download
memory/1260-42-0x000001D00B6C0000-0x000001D00B6D0000-memory.dmp

Filesize
64KB

Download
memory/1260-41-0x000001D00B6B0000-0x000001D00B6C0000-memory.dmp

Filesize
64KB

Download
memory/1260-40-0x000001D00B690000-0x000001D00B6A0000-memory.dmp

Filesize
64KB

Download
memory/1260-48-0x000001D00B6D0000-0x000001D00B6E0000-memory.dmp

Filesize
64KB

Download
memory/1260-134-0x000001D00B700000-0x000001D00B710000-memory.dmp

Filesize
64KB

Download
memory/1260-50-0x000001D00B6E0000-0x000001D00B6F0000-memory.dmp

Filesize
64KB

Download
memory/1260-49-0x000001D00B620000-0x000001D00B630000-memory.dmp

Filesize
64KB

Download
memory/1260-53-0x000001D00B6F0000-0x000001D00B700000-memory.dmp

Filesize
64KB

Download
memory/1260-52-0x000001D00B630000-0x000001D00B640000-memory.dmp

Filesize
64KB

Download
memory/1260-56-0x000001D00B700000-0x000001D00B710000-memory.dmp

Filesize
64KB

Download
memory/1260-55-0x000001D00B640000-0x000001D00B650000-memory.dmp

Filesize
64KB

Download
memory/1260-60-0x000001D00B710000-0x000001D00B720000-memory.dmp

Filesize
64KB

Download
memory/1260-59-0x000001D00B650000-0x000001D00B660000-memory.dmp

Filesize
64KB

Download
memory/1260-63-0x000001D00B660000-0x000001D00B670000-memory.dmp

Filesize
64KB

Download
memory/1260-64-0x000001D00B720000-0x000001D00B730000-memory.dmp

Filesize
64KB

Download
memory/1260-67-0x000001D00B730000-0x000001D00B740000-memory.dmp

Filesize
64KB

Download
memory/1260-66-0x000001D00B670000-0x000001D00B680000-memory.dmp

Filesize
64KB

Download
memory/1260-71-0x000001D00B740000-0x000001D00B750000-memory.dmp

Filesize
64KB

Download
memory/1260-70-0x000001D00B680000-0x000001D00B690000-memory.dmp

Filesize
64KB

Download
memory/1260-78-0x000001D00B750000-0x000001D00B760000-memory.dmp

Filesize
64KB

Download
memory/1260-77-0x000001D00B6C0000-0x000001D00B6D0000-memory.dmp

Filesize
64KB

Download
memory/1260-76-0x000001D00B6B0000-0x000001D00B6C0000-memory.dmp

Filesize
64KB

Download
memory/1260-75-0x000001D00B690000-0x000001D00B6A0000-memory.dmp

Filesize
64KB

Download
memory/1260-83-0x000001D00B760000-0x000001D00B770000-memory.dmp

Filesize
64KB

Download
memory/1260-82-0x000001D00B6A0000-0x000001D00B6B0000-memory.dmp

Filesize
64KB

Download
memory/1260-89-0x000001D00B6D0000-0x000001D00B6E0000-memory.dmp

Filesize
64KB

Download
memory/1260-90-0x000001D00B770000-0x000001D00B780000-memory.dmp

Filesize
64KB

Download
memory/1260-133-0x000001D00B370000-0x000001D00B371000-memory.dmp

Filesize
4KB

Download
memory/1260-16-0x000001D00B370000-0x000001D00B371000-memory.dmp

Filesize
4KB

Download
memory/1260-18-0x000001D00B600000-0x000001D00B610000-memory.dmp

Filesize
64KB

Download
memory/1260-105-0x000001D00B6F0000-0x000001D00B700000-memory.dmp

Filesize
64KB

Download
memory/1260-47-0x000001D00B610000-0x000001D00B620000-memory.dmp

Filesize
64KB

Download
memory/1260-2-0x000001D00B390000-0x000001D00B600000-memory.dmp

Filesize
2.4MB

Download
memory/1260-160-0x000001D00B780000-0x000001D00B790000-memory.dmp

Filesize
64KB

Download
memory/1260-159-0x000001D00B770000-0x000001D00B780000-memory.dmp

Filesize
64KB

Download
memory/1260-136-0x000001D00B6A0000-0x000001D00B6B0000-memory.dmp

Filesize
64KB

Download
memory/1260-137-0x000001D00B600000-0x000001D00B610000-memory.dmp

Filesize
64KB

Download
memory/1260-138-0x000001D00B610000-0x000001D00B620000-memory.dmp

Filesize
64KB

Download
memory/1260-139-0x000001D00B620000-0x000001D00B630000-memory.dmp

Filesize
64KB

Download
memory/1260-140-0x000001D00B630000-0x000001D00B640000-memory.dmp

Filesize
64KB

Download
memory/1260-141-0x000001D00B640000-0x000001D00B650000-memory.dmp

Filesize
64KB

Download
memory/1260-142-0x000001D00B650000-0x000001D00B660000-memory.dmp

Filesize
64KB

Download
memory/1260-143-0x000001D00B660000-0x000001D00B670000-memory.dmp

Filesize
64KB

Download
memory/1260-144-0x000001D00B670000-0x000001D00B680000-memory.dmp

Filesize
64KB

Download
memory/1260-145-0x000001D00B680000-0x000001D00B690000-memory.dmp

Filesize
64KB

Download
memory/1260-146-0x000001D00B690000-0x000001D00B6A0000-memory.dmp

Filesize
64KB

Download
memory/1260-147-0x000001D00B6B0000-0x000001D00B6C0000-memory.dmp

Filesize
64KB

Download
memory/1260-148-0x000001D00B6C0000-0x000001D00B6D0000-memory.dmp

Filesize
64KB

Download
memory/1260-149-0x000001D00B390000-0x000001D00B600000-memory.dmp

Filesize
2.4MB

Download
memory/1260-150-0x000001D00B6D0000-0x000001D00B6E0000-memory.dmp

Filesize
64KB

Download
memory/1260-151-0x000001D00B6E0000-0x000001D00B6F0000-memory.dmp

Filesize
64KB

Download
memory/1260-152-0x000001D00B6F0000-0x000001D00B700000-memory.dmp

Filesize
64KB

Download
memory/1260-153-0x000001D00B710000-0x000001D00B720000-memory.dmp

Filesize
64KB

Download
memory/1260-154-0x000001D00B720000-0x000001D00B730000-memory.dmp

Filesize
64KB

Download
memory/1260-155-0x000001D00B730000-0x000001D00B740000-memory.dmp

Filesize
64KB

Download
memory/1260-156-0x000001D00B740000-0x000001D00B750000-memory.dmp

Filesize
64KB

Download
memory/1260-157-0x000001D00B750000-0x000001D00B760000-memory.dmp

Filesize
64KB

Download
memory/1260-158-0x000001D00B760000-0x000001D00B770000-memory.dmp

Filesize
64KB

Download
memory/4492-222-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-224-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-108-0x000001DF39BC0000-0x000001DF39E30000-memory.dmp

Filesize
2.4MB

Download
memory/4492-187-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-193-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-207-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-115-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-221-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-236-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-135-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-240-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-241-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-244-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-242-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-251-0x000001DF382D0000-0x000001DF382D1000-memory.dmp

Filesize
4KB

Download
memory/4492-314-0x000001DF39BC0000-0x000001DF39E30000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads