Malware Analysis Report

2024-11-13 18:32

Sample ID 241106-renrxazrfx
Target GG.jar
SHA256 8283d2afe7813541a82b818e8fd2225c959f1bf193e932e3892814c0fc73a143
Tags
adwind persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8283d2afe7813541a82b818e8fd2225c959f1bf193e932e3892814c0fc73a143

Threat Level: Known bad

The file GG.jar was found to be: Known bad.

Malicious Activity Summary

adwind persistence

Adwind family

Class file contains resources related to AdWind

Adds Run key to start application

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 14:06

Signatures

Adwind family

adwind

Class file contains resources related to AdWind

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 14:06

Reported

2024-11-06 14:09

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

147s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\GG.jar

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730902005064.tmp" C:\Windows\system32\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\GG.jar

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730902005064.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730902005064.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730902005064.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.ip.gl.ply.gg udp
US 147.185.221.23:7036 23.ip.gl.ply.gg tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 147.185.221.23:7036 23.ip.gl.ply.gg tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 147.185.221.23:7036 23.ip.gl.ply.gg tcp
US 147.185.221.23:7036 23.ip.gl.ply.gg tcp
US 147.185.221.23:7036 23.ip.gl.ply.gg tcp
US 147.185.221.23:7036 23.ip.gl.ply.gg tcp
US 147.185.221.23:7036 23.ip.gl.ply.gg tcp

Files

memory/3688-2-0x000002969E8B0000-0x000002969EB20000-memory.dmp

memory/3688-14-0x000002969D0E0000-0x000002969D0E1000-memory.dmp

memory/3688-16-0x000002969EB20000-0x000002969EB30000-memory.dmp

memory/3688-19-0x000002969EB30000-0x000002969EB40000-memory.dmp

memory/3688-20-0x000002969EB40000-0x000002969EB50000-memory.dmp

memory/3688-22-0x000002969EB50000-0x000002969EB60000-memory.dmp

memory/3688-24-0x000002969EB60000-0x000002969EB70000-memory.dmp

memory/3688-26-0x000002969EB70000-0x000002969EB80000-memory.dmp

memory/3688-28-0x000002969EB80000-0x000002969EB90000-memory.dmp

memory/3688-31-0x000002969EB90000-0x000002969EBA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730902005064.tmp

MD5 2975917970d173042280a2f2a94a90f2
SHA1 2ff157cf7f9ea3dcc19061311ff9145ee6d25167
SHA256 8283d2afe7813541a82b818e8fd2225c959f1bf193e932e3892814c0fc73a143
SHA512 36ddae37956957a822c3ced2cbe0c53ce1cce8f9b89561c557de2cec06bd1c52d4abb6421d35fe18e9e126252ea8c348a91603517ea2ae48fa22800ae99f5a26

memory/3688-36-0x000002969E8B0000-0x000002969EB20000-memory.dmp

memory/3688-37-0x000002969EBA0000-0x000002969EBB0000-memory.dmp

memory/3688-38-0x000002969D0E0000-0x000002969D0E1000-memory.dmp

memory/3688-39-0x000002969EB20000-0x000002969EB30000-memory.dmp

memory/3688-41-0x000002969EB30000-0x000002969EB40000-memory.dmp

memory/3688-42-0x000002969EB40000-0x000002969EB50000-memory.dmp

memory/3688-43-0x000002969EB50000-0x000002969EB60000-memory.dmp

memory/3688-44-0x000002969EB60000-0x000002969EB70000-memory.dmp

memory/3688-45-0x000002969EB70000-0x000002969EB80000-memory.dmp

memory/3688-46-0x000002969EB80000-0x000002969EB90000-memory.dmp

memory/3688-47-0x000002969EB90000-0x000002969EBA0000-memory.dmp

memory/3688-48-0x000002969EBA0000-0x000002969EBB0000-memory.dmp

memory/3688-51-0x000002969EBB0000-0x000002969EBC0000-memory.dmp

memory/3688-52-0x000002969D0E0000-0x000002969D0E1000-memory.dmp

memory/3688-53-0x000002969EBB0000-0x000002969EBC0000-memory.dmp