Analysis
-
max time kernel
873s -
max time network
967s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/11/2024, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
LK Rat.jar
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
LK Rat.jar
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
LK Rat.jar
Resource
macos-20240711.1-en
Behavioral task
behavioral4
Sample
LK Rat.jar
Resource
ubuntu2004-amd64-20240611-en
General
-
Target
LK Rat.jar
-
Size
1.4MB
-
MD5
8c65d5456bcd4e07d64e87b856ffb2b2
-
SHA1
81ec28c78875d17f08603b427b7783c0cc55bb80
-
SHA256
74148c3575a944b44668549c4a25c9a02a822b464c70c20d91cef1866fd54e9c
-
SHA512
6b3a424eb3f83308400007020bd81d71b60b7c6b15cdf5a1e45d53ab7cc343eb66de5077492686f582025c790a496804b8e6a36d49574ed9292fb3be0cf1178e
-
SSDEEP
24576:M0enMGto+9l1JFpABv5gUIch/lqi++f89WTuh+fl1RFxAtHT5SlJtf:3eMGbxJYvKA9QYT/zRAsd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730607380598.tmp" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730607381239.tmp" reg.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4280 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1288 java.exe 1572 java.exe 1572 java.exe 1572 java.exe 1572 java.exe 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE 4280 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1572 1288 java.exe 81 PID 1288 wrote to memory of 1572 1288 java.exe 81 PID 1288 wrote to memory of 3668 1288 java.exe 83 PID 1288 wrote to memory of 3668 1288 java.exe 83 PID 1288 wrote to memory of 3220 1288 java.exe 85 PID 1288 wrote to memory of 3220 1288 java.exe 85 PID 3220 wrote to memory of 1028 3220 cmd.exe 87 PID 3220 wrote to memory of 1028 3220 cmd.exe 87 PID 1572 wrote to memory of 2540 1572 java.exe 89 PID 1572 wrote to memory of 2540 1572 java.exe 89 PID 1572 wrote to memory of 3156 1572 java.exe 91 PID 1572 wrote to memory of 3156 1572 java.exe 91 PID 3156 wrote to memory of 1544 3156 cmd.exe 93 PID 3156 wrote to memory of 1544 3156 cmd.exe 93 PID 4280 wrote to memory of 2068 4280 EXCEL.EXE 100 PID 4280 wrote to memory of 2068 4280 EXCEL.EXE 100 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3668 attrib.exe 2540 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\LK Rat.jar"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\pULHfy60799363049740799.tmp2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381239.tmp3⤵
- Views/modifies file attributes
PID:2540
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381239.tmp" /f"3⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381239.tmp" /f4⤵
- Adds Run key to start application
PID:1544
-
-
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607380598.tmp2⤵
- Views/modifies file attributes
PID:3668
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607380598.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607380598.tmp" /f3⤵
- Adds Run key to start application
PID:1028
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RepairRedo.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2068
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5d475ad3f3e32d0c0ac429ccbe2a70582
SHA1b3124dbb48c42d35b94712614963f93514d40cbb
SHA256c1d34fe5ced03ab025ce20043f030149c522d73496791660f5df7110550575ba
SHA512a0a2760ab868e7b4efc118bea1a6def4d3e878687789f61ea0e8bea9a60e0e163b9e4ca19b8595927aeab77aa03c9c87125216ca30a0ea6e438ee4eba1edb766
-
Filesize
3.1MB
MD5b22ef746fd14c702e5bd29b466c6312b
SHA119674f9167c56c0bbdaa3a4a48277b802e480000
SHA256121f7a1d3aa9f538fd4710fd3a2175a7f062e1260d3e2df83752512a28f290d6
SHA5120b1757fb6d17077b1046c73909623ddb180c6a02b872bcbb9aef40fceb9ed6ff268438e7cb62b9c5ce4c2fd944ea99cf4aa9d2d4b31d70806f1ba607fdb05b6e
-
Filesize
73KB
MD550affb41a526e6d58b24afc6664a8f33
SHA16d4c60a5965dd9f0df868c3def14625c56eb4a73
SHA256f8307cf2f5bb19216e089bc23371f414ed3a299569e0c92e5daf1b3d76197e0a
SHA512653bd409b83a845a5384e05fe2be659660b52f6b2bb95ba004d08af581833278367f70c0a01e45c18881cc8c70b9ff29f8f7d08086a3cdf49f1bb3c33dbaa32a
-
Filesize
26KB
MD57ae9e5ab7be7e000e3130959b10fd41f
SHA175ea22029f4e7b34cf7cb11846ccbcf952343c11
SHA25615b62421835d8f439eb11095d522544a43de58f157e868c25eca080f96b0e951
SHA512c7a3a3cb9bfa72319ece066b9ab3d0fa7606d61ae8919d5aa389593382f25960b64bd57e5002663b538a2a20a34a4da24f006a6d84224187e487a0c5c651764b
-
Filesize
73KB
MD5814f5bbbce5210fc68661e8887ea8844
SHA169272975cc1b86b6bd2190de7df5a8cde859578a
SHA25672f8fdc0bbf00859b5cc9a0e585fd56c98012229adc83b7c242acaba89600e84
SHA51237c47173c0373c72d58f35b38d75688be4b7ecaa2792bb827cb724da87528c3abbdcf645c9d8418afac9ac4ac44fd3df329d26c1a1c7bc63e93e733c1af5dcb6
-
Filesize
710KB
MD5ea32d3a9a0a4c7dd26bc75b770b8d6e6
SHA179dd917e26e45af4e20a19592bbaa88c44629a76
SHA25668de0bf850720a72c68ea6cec582131b176222cfc90856b744c35bde551f57d3
SHA5126602ab5c0f36611e5ffec8f4f077d72f7b9858fec7104b0ad8ad0bf4b5c3ebf1d0fbf9ed53720c4dd0a6d288b3b1b050c2e9cc34f54361d811f49b19980a7a47
-
Filesize
1.4MB
MD58c65d5456bcd4e07d64e87b856ffb2b2
SHA181ec28c78875d17f08603b427b7783c0cc55bb80
SHA25674148c3575a944b44668549c4a25c9a02a822b464c70c20d91cef1866fd54e9c
SHA5126b3a424eb3f83308400007020bd81d71b60b7c6b15cdf5a1e45d53ab7cc343eb66de5077492686f582025c790a496804b8e6a36d49574ed9292fb3be0cf1178e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4249425805-3408538557-1766626484-1000\83aa4cc77f591dfc2374580bbd95f6ba_02510207-a8a1-401b-a8b2-969e44fe3fef
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
359B
MD5b20aad2670a5609512adb693ed6d378a
SHA1d73f1650fc40c5e821d739a0cb1dfa39a7260832
SHA25609797f593ff738891a54b2a55caed74038493183cbe4ca0249df85edb3b3479c
SHA5121a49d7fe03e6652491f4e8d6f23a3360db6e030644f3a71ad23c058ac7a945a67c247b6f2d4ab3e37344c8ca9566b63f5181a9e1ef9a406d3d40b5add64fe22e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5e7e25fd019cc589ec80081ae3eb1cd69
SHA15fd0baeee4a375c85c4ed1b226599b128892fe19
SHA25682d59717a7755000c265d77e1adbd5d74b17d1fc86a391daa5fd0ad09efd4911
SHA512b0be3e8a7802cacd413485adf2e4fb70a0b77678cf217165614044a2b79c487b04c07523bd9fcc2436d9bf4ed3b88ca9778307f08268e7d0d0938528e4c764ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5cabcf08a53dbb4e5ad107d23d12c791f
SHA11ff2298d7aeb346c85e67b2190c16c02e5ea99dd
SHA25652dac7eaec9958c28454f6c94d81e0609cb4a5faff119045131db29c6b60ae89
SHA512c9e568e25af15308d192c015eb6bf32f9881302d39c486a22bb4aebd11407157a9dc3cc16ee897ad0e477a7ce2358b7416771a5a08f72539aa800f90837d8fa2