Analysis Overview
SHA256
39ab8b4c44eae3af560333ef83087a2d211e5af82c052b48a8fbb131f5f8850a
Threat Level: Known bad
The file build.jar was found to be: Known bad.
Malicious Activity Summary
Adwind family
Class file contains resources related to AdWind
Adds Run key to start application
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-18 01:02
Signatures
Adwind family
Class file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-18 01:02
Reported
2024-11-18 01:04
Platform
win11-20241007-en
Max time kernel
138s
Max time network
151s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731891743328.tmp" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3756 wrote to memory of 3660 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3756 wrote to memory of 3660 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3660 wrote to memory of 1124 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 3660 wrote to memory of 1124 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\build.jar
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731891743328.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731891743328.tmp" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | who-gabriel.gl.at.ply.gg | udp |
| US | 147.185.221.23:45700 | who-gabriel.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 23.221.185.147.in-addr.arpa | udp |
Files
memory/3756-2-0x00000211E5980000-0x00000211E5BF0000-memory.dmp
memory/3756-14-0x00000211E40B0000-0x00000211E40B1000-memory.dmp
memory/3756-16-0x00000211E5BF0000-0x00000211E5C00000-memory.dmp
memory/3756-18-0x00000211E5C00000-0x00000211E5C10000-memory.dmp
memory/3756-20-0x00000211E5C10000-0x00000211E5C20000-memory.dmp
memory/3756-23-0x00000211E5C20000-0x00000211E5C30000-memory.dmp
memory/3756-24-0x00000211E5C30000-0x00000211E5C40000-memory.dmp
memory/3756-26-0x00000211E5C40000-0x00000211E5C50000-memory.dmp
memory/3756-28-0x00000211E5C50000-0x00000211E5C60000-memory.dmp
memory/3756-31-0x00000211E5C60000-0x00000211E5C70000-memory.dmp
memory/3756-35-0x00000211E5980000-0x00000211E5BF0000-memory.dmp
memory/3756-36-0x00000211E5C70000-0x00000211E5C80000-memory.dmp
memory/3756-39-0x00000211E40B0000-0x00000211E40B1000-memory.dmp
memory/3756-40-0x00000211E5BF0000-0x00000211E5C00000-memory.dmp
memory/3756-42-0x00000211E5C00000-0x00000211E5C10000-memory.dmp
memory/3756-43-0x00000211E5C10000-0x00000211E5C20000-memory.dmp
memory/3756-44-0x00000211E5C20000-0x00000211E5C30000-memory.dmp
memory/3756-45-0x00000211E5C30000-0x00000211E5C40000-memory.dmp
memory/3756-46-0x00000211E5C40000-0x00000211E5C50000-memory.dmp
memory/3756-47-0x00000211E5C50000-0x00000211E5C60000-memory.dmp
memory/3756-48-0x00000211E5C60000-0x00000211E5C70000-memory.dmp
memory/3756-49-0x00000211E5C70000-0x00000211E5C80000-memory.dmp
memory/3756-53-0x00000211E5C80000-0x00000211E5C90000-memory.dmp
memory/3756-54-0x00000211E5C80000-0x00000211E5C90000-memory.dmp
memory/3756-58-0x00000211E5C90000-0x00000211E5CA0000-memory.dmp
memory/3756-63-0x00000211E5C90000-0x00000211E5CA0000-memory.dmp