Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 12:30
Static task
static1
Behavioral task
behavioral1
Sample
0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f.jar
Resource
win7-20241023-en
General
-
Target
0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f.jar
-
Size
329KB
-
MD5
f1d0370f57f1dffbce1b665e45483da1
-
SHA1
5cf0a176fcb31e091099a3b661b4bd8eab418cf1
-
SHA256
0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f
-
SHA512
660ba4fe4cbbf9286272054472c07cc041c3eeaa911d68ca0f45b398c202f379b74b2a2443bda6da163ec58ddfc97b615d97869265238d76f5f0b179d09a7a52
-
SSDEEP
6144:1ieAn4qfVev93QG4B9XQdKuPKwdWBsw3eO8RQrFXg3iWA5iHDX0:1Ra4qfA93BdTk3OeFXg3iDWo
Malware Config
Extracted
pikabot
https://45.76.251.190:5567
https://131.153.231.178:2221
https://95.179.135.3:2225
https://155.138.147.62:2223
https://86.38.225.109:13724
https://172.232.189.219:2224
https://198.44.187.12:2224
https://104.156.233.235:2226
https://103.82.243.5:13721
https://86.38.225.106:2221
https://45.32.248.100:2226
https://23.226.138.161:5242
https://37.60.242.85:9785
https://104.129.55.105:2223
https://45.32.21.184:5242
https://178.18.246.136:2078
https://108.61.78.17:13719
https://86.38.225.105:13721
https://172.232.189.10:1194
https://172.232.162.97:13719
Signatures
-
Pikabot family
-
Loads dropped DLL 1 IoCs
pid Process 4020 regsvr32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4020 set thread context of 2232 4020 regsvr32.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4020 regsvr32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 4020 regsvr32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2164 wrote to memory of 5076 2164 java.exe 88 PID 2164 wrote to memory of 5076 2164 java.exe 88 PID 5076 wrote to memory of 4020 5076 regsvr32.exe 89 PID 5076 wrote to memory of 4020 5076 regsvr32.exe 89 PID 5076 wrote to memory of 4020 5076 regsvr32.exe 89 PID 4020 wrote to memory of 2232 4020 regsvr32.exe 96 PID 4020 wrote to memory of 2232 4020 regsvr32.exe 96 PID 4020 wrote to memory of 2232 4020 regsvr32.exe 96 PID 4020 wrote to memory of 2232 4020 regsvr32.exe 96 PID 4020 wrote to memory of 2232 4020 regsvr32.exe 96 PID 4020 wrote to memory of 2232 4020 regsvr32.exe 96 PID 4020 wrote to memory of 2232 4020 regsvr32.exe 96 PID 4020 wrote to memory of 2232 4020 regsvr32.exe 96
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f.jar1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\\317631.png2⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\\317631.png3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"4⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476KB
MD5f32839de7b3209090778a9a4c5e14cce
SHA1ca33599617a5de46cb3e726d66eee9d48e5a78af
SHA256aab9e3d3f923f7c17694df3bd395aea1112f87e63580c1762579c43056d3b2da
SHA5120aff888a6433bbae83bf2f7694158d25ceb6e3c7083b447cfb9241e529df0971d70598eb5005e048f605237def92f1a89c6172095272fd13b5add85cdab20015