c99288da420eaf55840ef62076c4aa0ebdddc41100c70b900f429e439cf4387a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe
Size

1.5MB
MD5

666248d4624eb5b840447bff7bb5932c
SHA1

0d80295027db0e87ae269a68192d16c54fb6226a
SHA256

c99288da420eaf55840ef62076c4aa0ebdddc41100c70b900f429e439cf4387a
SHA512

dd2ca69a9ee7f4d9bb019404224a5faf9879b598f2abdec72950dc2a8e84ff8794997cb27c489ad61a47ac99f137865a2a3cbdec5fc30c7097f3da90ad0734ee
SSDEEP

49152:JRPGPWI+llRK7lC1oClOQZFcYD61tVeNIcTr6w0SMe:JRPTVaYNWnVRKMe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3504	svchost.exe
5084	2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe
3552	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 3504	4032	2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe	84
PID 4032 wrote to memory of 3504	4032	2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe	84
PID 4032 wrote to memory of 3504	4032	2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe	84
PID 3504 wrote to memory of 5084	3504	svchost.exe	85
PID 3504 wrote to memory of 5084	3504	svchost.exe	85
PID 3504 wrote to memory of 5084	3504	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5084

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-10-31_666248d4624eb5b840447bff7bb5932c_hijackloader_jeefo_magniber.exe

Filesize
1.5MB

MD5
5815de044c3274cc17afce0081c59d4c

SHA1
dab1d0c743ecfab7b00689277811423049b63ffc

SHA256
384d4597d503494237e30f7a54fbb88d2b23e4135c8c399ff844b1e182779024

SHA512
4a64bbdadd9a2b6746188a7ef0b3a06312eb540b67a174d9529ae455d0a7e96583abb41241f964036f36bb480b32f9e256943c025371e9c39b3b12a669c8e3d6

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/3504-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3552-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3552-18-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3552-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4032-3-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download