Analysis
-
max time kernel
1775s -
max time network
1800s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
03/11/2024, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
LK Rat.jar
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
LK Rat.jar
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
LK Rat.jar
Resource
macos-20240711.1-en
Behavioral task
behavioral4
Sample
LK Rat.jar
Resource
ubuntu2004-amd64-20240611-en
General
-
Target
LK Rat.jar
-
Size
1.4MB
-
MD5
8c65d5456bcd4e07d64e87b856ffb2b2
-
SHA1
81ec28c78875d17f08603b427b7783c0cc55bb80
-
SHA256
74148c3575a944b44668549c4a25c9a02a822b464c70c20d91cef1866fd54e9c
-
SHA512
6b3a424eb3f83308400007020bd81d71b60b7c6b15cdf5a1e45d53ab7cc343eb66de5077492686f582025c790a496804b8e6a36d49574ed9292fb3be0cf1178e
-
SSDEEP
24576:M0enMGto+9l1JFpABv5gUIch/lqi++f89WTuh+fl1RFxAtHT5SlJtf:3eMGbxJYvKA9QYT/zRAsd
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 4564 java.exe 4564 java.exe 4564 java.exe 4564 java.exe 4564 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730607381620.tmp" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730607382417.tmp" reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: java.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3448 cmd.exe 4752 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4752 PING.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3636 java.exe 4564 java.exe 4564 java.exe 4564 java.exe 4564 java.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3636 wrote to memory of 4564 3636 java.exe 84 PID 3636 wrote to memory of 4564 3636 java.exe 84 PID 3636 wrote to memory of 2680 3636 java.exe 86 PID 3636 wrote to memory of 2680 3636 java.exe 86 PID 3636 wrote to memory of 3296 3636 java.exe 88 PID 3636 wrote to memory of 3296 3636 java.exe 88 PID 3296 wrote to memory of 3572 3296 cmd.exe 90 PID 3296 wrote to memory of 3572 3296 cmd.exe 90 PID 4564 wrote to memory of 1580 4564 java.exe 91 PID 4564 wrote to memory of 1580 4564 java.exe 91 PID 4564 wrote to memory of 2980 4564 java.exe 93 PID 4564 wrote to memory of 2980 4564 java.exe 93 PID 2980 wrote to memory of 3408 2980 cmd.exe 95 PID 2980 wrote to memory of 3408 2980 cmd.exe 95 PID 4564 wrote to memory of 4156 4564 java.exe 113 PID 4564 wrote to memory of 4156 4564 java.exe 113 PID 4156 wrote to memory of 888 4156 cmd.exe 115 PID 4156 wrote to memory of 888 4156 cmd.exe 115 PID 4564 wrote to memory of 3448 4564 java.exe 116 PID 4564 wrote to memory of 3448 4564 java.exe 116 PID 4564 wrote to memory of 4744 4564 java.exe 118 PID 4564 wrote to memory of 4744 4564 java.exe 118 PID 3448 wrote to memory of 4752 3448 cmd.exe 120 PID 3448 wrote to memory of 4752 3448 cmd.exe 120 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2680 attrib.exe 1580 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\LK Rat.jar"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\pULHfy895942203317978330.tmp2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607382417.tmp3⤵
- Views/modifies file attributes
PID:1580
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607382417.tmp" /f"3⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607382417.tmp" /f4⤵
- Adds Run key to start application
PID:3408
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f"3⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f4⤵PID:888
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c ping localhost -n 6 > nul && del C:\Users\Admin\AppData\Local\Temp\pULHfy895942203317978330.tmp3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\system32\PING.EXEping localhost -n 64⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4752
-
-
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java" -cp C:\Users\Admin\AppData\Local\Temp\pULHfy895942203317978330.tmp org.bridj.Platform$DeleteFiles C:\Users\Admin\AppData\Local\Temp\BridJExtractedLibraries6414967750426932588\bridj.dll C:\Users\Admin\AppData\Local\Temp\BridJExtractedLibraries6414967750426932588 C:\Users\Admin\AppData\Local\Temp\BridJExtractedLibraries6414967750426932588\OpenIMAJGrabber.dll3⤵PID:4744
-
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381620.tmp2⤵
- Views/modifies file attributes
PID:2680
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381620.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381620.tmp" /f3⤵
- Adds Run key to start application
PID:3572
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5e4fef829f55c5835f5b2080bbb1a5606
SHA14e638a5cc62b5632eef009ca4879539b310fee1e
SHA25676078661cc809e27745d1517647c6060f9cecf49b904ec5d59f74ca3f38963c5
SHA51211aa7d21d87fb601b710c4ae9d8790ec9debb273be88338eee0310ef61d932c2513e9a76ed53ceb8391ea8d2455d2dd14f1550598d2725291f560decf5bb2609
-
Filesize
3.1MB
MD5b22ef746fd14c702e5bd29b466c6312b
SHA119674f9167c56c0bbdaa3a4a48277b802e480000
SHA256121f7a1d3aa9f538fd4710fd3a2175a7f062e1260d3e2df83752512a28f290d6
SHA5120b1757fb6d17077b1046c73909623ddb180c6a02b872bcbb9aef40fceb9ed6ff268438e7cb62b9c5ce4c2fd944ea99cf4aa9d2d4b31d70806f1ba607fdb05b6e
-
Filesize
203KB
MD5de6cf300c801226d4b19e4fdc258975e
SHA149e72ddee45ca9cf332c50b4c716781ac0df07fd
SHA25641565e543a043ee2073a0b3d93082b78614d2241aa2c6669e05385d94511851c
SHA5121a152efe851bd1fb029924f4854a9374f0fbb8a78b5a73efd49b5807f45e7ffccac7ca780cc1bdf3090eda6e491b2e4afb57162efafba274196d92cb972fc05c
-
Filesize
2.2MB
MD5137a448313d5b6d19279833d841b3590
SHA16ed5b437fb5c03879e8c1afcc0d97df4b7f1bbcd
SHA256de349716e627e245e4b17fd487dba4033dbc92e5e22fb950c25514700334f97e
SHA5126cca760abb063e97404cdd43a633c19f4afe459a1b975857e24040f503a77ab812c4347b150f4f3410522002a3c4365161cf4508b1e9d8e53987e3799638f573
-
Filesize
1.3MB
MD54331bdf536b724b5c49cfa83e89f55cb
SHA1a9442345f3aa6f4e61fd9516b800f5fbb00d56b7
SHA25654a8a2f553e7448eb01c90ed5d40fa1d61be15706131206d155ea3a2f70593ab
SHA5124fbf66406871873b508a516178fee2bd7cbff9a44942b1f86c8c874057a08402a89b56342dbe5d81ae35fff4624a7b32f294898b99ee50585455b928245c32ee
-
Filesize
185KB
MD585f770f1418eac0ce7ba2858af58e728
SHA100dccd40f789ad5f3bff3954955f3c9f1b5eb0e0
SHA256dc5671b2816a4c93d47193b9481aec9cad587414a5d5a3a51fc410abdef412cc
SHA512d24cef1bb8bba8f0baed8ab71f995b04176b601128a607d37ba5747539a0458d06083a507ed2e7c20a34585ca98d9e2a5881336ad971edb065c7f9dc865bfc4f
-
Filesize
137KB
MD5eb31babd3452d99aeab24f0655e7610a
SHA13250d3ffa350d0d41fec53d7cbd73d7351b958e7
SHA256ab1c3d1211903f7cd938702d806c423fbc32414589a5a4f77b6d4f999a7b6c02
SHA512f5f81648c5462d1b19d2eac414a7afe8898c69436ca153f04a4862d6e267a939ddc2bd46a6a8df89d46d7703f7ad25700b2360b4882d79a5510629014973431e
-
Filesize
84KB
MD50285a117e67739776220c34ef08b2d43
SHA1d32e6b1128407a7e59eff481c8643a116aa2f56a
SHA256332c71776659988159f98e0e6621b1e37694a7a57f954e0c5ca2f95c939b8f59
SHA5127a967cb11d5bb80adda24cd966aa4d389a54cb156e0b74406dd09023c48a39490b8cb18d84fa840c107b73e7008981a049544248dbce8c9e43bba212ed8352d2
-
Filesize
584B
MD5c6545ac56e958270088b4842f484756b
SHA1f6381b020b0e2e6d8e26babfb0b65aa19522c527
SHA256b2483dd24cc16817588d7fa3d9ab0c18d710e806c81bec419e7b918b4b07564c
SHA512135e8bc052a56de4ddacb9fafea36657b09ed6a5e41d9ddb94a53adfe89ef0f6aeb9d41036949329c6a3d6f0d4375cbbcf8c09d0de4626ef14dc5a02edcb4e95
-
Filesize
484B
MD5cc8fbb4440ae04418928c8d42e4ccb21
SHA1bbbeed8e96bcfa4dfd977441a83566dbc638e079
SHA256cd899a1183aeeac6a4c6a0f17d8af1845d244896d7e9fd309b1f486d918f89c0
SHA512569892d513c1c56ceac24ee757e4868a14b4c3a5084c2b21192a36a171dd5240914621a203ebacb0ada0d65fc406c31be8346445fb3a86c0280515006376472c
-
Filesize
37KB
MD5a3fd87970caee840ceece9d5f03705cd
SHA11ffab512b78568dbb851b1afd5a59aada4b9f517
SHA25696f81802a005cab4416fe2667a969d614b47fd51287ddb312d429b592554ddf3
SHA512551dfd67d9cf9057f69d884522169b39d2c0775cac08329829cb6c3691725c32f25be6ca75e6f116dbc2d248d46ebc276ac8fde0d51324cf709acbbfb0faf055
-
Filesize
111KB
MD599f63bc3411fb5e0d8341d148e90728f
SHA18e93e18e223574d591b38d26d27ef6b76ec0e2de
SHA25644a9b7b4c03a1d80bcf40103320be2e07af556a93117f2ff2cd4addc1e1cd92d
SHA5125a244a2f966073ef644bb1f12662729ba82fee09b8fab112f91dc2c7c2f2145a163150a9a263df69cc7c96ba4e08ca5b38e5adfe54863ea1c49c97e54e82055f
-
Filesize
110KB
MD57cf685211ab057057348162d17a3b241
SHA1d0c9ad2894189714a2bd2dd771781033d77e4e55
SHA2566538a9e54498dc9bd08870ced04865d46d66d32640b18f8eb076a0df15c78d4d
SHA51214e1c5deb8c359ab8eae8169596044d9f6a3099174cb379acb51af74a0c668a926dcc72fd69033416c1f64aa21dceb42c59d55ae62127fdd64259f94ec8cfe13
-
Filesize
113KB
MD5a849b8a304f12e6bbf2a28f81be42ca4
SHA1d84561551274349e34df3bed6bdb141548057831
SHA256102e104b20b3ed98a8f2ef238f40b111f4a8edbba38be2314b23027e2878f51b
SHA512be3981bca6e57fd3acc21f37a0509e57524c3bb497fa75e67ebe896d3b254103fd943f8e7e10dd5cc24e168a195800041673b4f9cd2e3bc8915b5df56d87c7bd
-
Filesize
388B
MD5b04d66da7b58ca382de0823bb8289f83
SHA1f1cda021b46b23b6dd492efc1b4836ec66ecfe8a
SHA2562aeb1f880743aa3a8fadf54c21ddbeb03e8dc335aea4d51a7ff4125b36ff77dd
SHA51278afe40dfe9c0a55442bd8744ee0471898058d3f7898167dc47183ab58e5d2453155983e1ce59271baac3c3995c0c9a561513fdfc0d523f7f9fe216876200dce
-
Filesize
850B
MD521c3facdf1026c2dd79f0110eb9f7f0f
SHA193e0449d1e8a845a6253762b2af0d57efe97e036
SHA256fb88993dd5cab2af179a4d0818b1114f17b6dd07f122370ef03da6c88f14afa2
SHA512680ac6318c04416b26e3dc8192bdee5be269bd33ec422ca1700cc0b886f15e55a4d64dda0f0113cc3d7b7315b6cd61b37d2de4fec4fba5a04fc0a92f65c5761c
-
Filesize
395B
MD53338aa57aaaded7c314425d22be5483e
SHA1b09b6bc78079488dba2112e92a5ca59388f0d382
SHA2566ec54458e0593bd19cb9437e7c778d913c8cdf942bb0396e34866fae1aa96767
SHA512d3c3c6c1a4ea7bd6c68c502bc2c720ae79d54f31062a55aac280d05e4ce27224a42e092fc3b9d0639e575722825b071e7d52b1a284fc20a0d4a30dbbb5bbf3f2
-
Filesize
36KB
MD58de294160f203eb55b8b5501ba785a48
SHA112726c32898647770a9a9ca3c5a89c8c203fa06b
SHA2565768f893300d7260542dd79dad6ba7f17581559f902a72348079458c2e3f2490
SHA512bdb8ac4c9497ca0725dbb6b92f83f254465737c383e27e611f39a859a5ec9f1e6bdd9a44b97ff2899e661d625a4a12862780fc23abb7a4b1ebfece48709f16d6
-
Filesize
351B
MD5023126c0696b39485af6f57eb2911cdf
SHA160d74b4d1bc3b6f192b26c859bbafb23b8e4c9c9
SHA2563d3c6dddbc54af1b647adab3fd9e84731891df92fdca5ddc5925496f5197f40a
SHA512cb9c7ffb498855f3e5beace260029b860c9f22f35bc921e133574e1122c764ada17d0de5e6405a7e093ac48a8ff7f5c4ae0579af68bec8e0af1ecb32f640291b
-
Filesize
114KB
MD5cd0c2043597804c30094da08dbd2ec9a
SHA1ddc0fc70e620df19a150425f4d66ab930a58e98d
SHA2561aaaa86dd3757d589325b3fd34a98948cb38c60d6ed6302380291a4600c01734
SHA512a8a32c3194a725293165d065151b6d6c5ef8bc10a09dca5655df4d309a876f9f613ae51eccd42c47eaf510289f1626eecb02f6b80c19cd9287996022f07e1d19
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
710KB
MD5ea32d3a9a0a4c7dd26bc75b770b8d6e6
SHA179dd917e26e45af4e20a19592bbaa88c44629a76
SHA25668de0bf850720a72c68ea6cec582131b176222cfc90856b744c35bde551f57d3
SHA5126602ab5c0f36611e5ffec8f4f077d72f7b9858fec7104b0ad8ad0bf4b5c3ebf1d0fbf9ed53720c4dd0a6d288b3b1b050c2e9cc34f54361d811f49b19980a7a47
-
C:\Users\Admin\AppData\Local\Temp\sqlite-unknown-e2e5f399-3ace-4d02-875b-0278fa68c90a-sqlitejdbc.dll
Filesize720KB
MD598eac6ad76d39e73967252542f6f40e4
SHA176923dd88c42c2536e969009927282025be4e79d
SHA25651cc105f172859e6866f3cad5c99188663be503cd4bb618c946b0c83faabf0b8
SHA512076bd432b21220f023b861b3d31aabb702386e073209b54d0401058f67aa3205938909a32637f48770e63c0ff512338248a8c1131cd5159daf8eec35249ca7ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-870806430-2618236806-3023919190-1000\83aa4cc77f591dfc2374580bbd95f6ba_f8cb507d-35a1-48c2-aef3-a249a39aae63
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd