Overview

overview

10

Static

static

1

0a0e0d2f9d...9f.jar

windows7-x64

7

0a0e0d2f9d...9f.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f.jar

  • Size

    329KB

  • MD5

    f1d0370f57f1dffbce1b665e45483da1

  • SHA1

    5cf0a176fcb31e091099a3b661b4bd8eab418cf1

  • SHA256

    0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f

  • SHA512

    660ba4fe4cbbf9286272054472c07cc041c3eeaa911d68ca0f45b398c202f379b74b2a2443bda6da163ec58ddfc97b615d97869265238d76f5f0b179d09a7a52

  • SSDEEP

    6144:1ieAn4qfVev93QG4B9XQdKuPKwdWBsw3eO8RQrFXg3iWA5iHDX0:1Ra4qfA93BdTk3OeFXg3iDWo

Score
10/10
pikabotbotnetdiscovery

Malware Config

Extracted

Family

pikabot

C2

https://45.76.251.190:5567

https://131.153.231.178:2221

https://95.179.135.3:2225

https://155.138.147.62:2223

https://86.38.225.109:13724

https://172.232.189.219:2224

https://198.44.187.12:2224

https://104.156.233.235:2226

https://103.82.243.5:13721

https://86.38.225.106:2221

https://45.32.248.100:2226

https://23.226.138.161:5242

https://37.60.242.85:9785

https://104.129.55.105:2223

https://45.32.21.184:5242

https://178.18.246.136:2078

https://108.61.78.17:13719

https://86.38.225.105:13721

https://172.232.189.10:1194

https://172.232.162.97:13719

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Pikabot family
    pikabot
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 /s C:\Users\Admin\AppData\Local\Temp\\317631.png
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\SysWOW64\regsvr32.exe
        /s C:\Users\Admin\AppData\Local\Temp\\317631.png
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Windows\SysWOW64\ctfmon.exe
          "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\317631.png
    Filesize

    476KB

    MD5

    f32839de7b3209090778a9a4c5e14cce

    SHA1

    ca33599617a5de46cb3e726d66eee9d48e5a78af

    SHA256

    aab9e3d3f923f7c17694df3bd395aea1112f87e63580c1762579c43056d3b2da

    SHA512

    0aff888a6433bbae83bf2f7694158d25ceb6e3c7083b447cfb9241e529df0971d70598eb5005e048f605237def92f1a89c6172095272fd13b5add85cdab20015

    Download Submit

  • memory/2164-2-0x000001CEAF260000-0x000001CEAF4D0000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2164-12-0x000001CEAF240000-0x000001CEAF241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-14-0x000001CEAF240000-0x000001CEAF241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-15-0x000001CEAF260000-0x000001CEAF4D0000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2232-19-0x0000000000310000-0x0000000000328000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2232-24-0x0000000000310000-0x0000000000328000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4020-18-0x00000000010E0000-0x0000000001114000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4020-30-0x00000000010E0000-0x0000000001114000-memory.dmp

    Filesize

    208KB

    Download