Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2025, 17:33
Behavioral task
behavioral1
Sample
FA-41-02-2025.jar
Resource
win7-20240903-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
FA-41-02-2025.jar
Resource
win10v2004-20250217-en
3 signatures
150 seconds
General
-
Target
FA-41-02-2025.jar
-
Size
1.5MB
-
MD5
50731d5b5b4aab7128302d296a58c91c
-
SHA1
d7c02e16ab2051711afda4a0faee833a935eca2c
-
SHA256
d63433471f553c9a0797dfc0d12c992cc8ba83b6130e34a5950bcf87c88b0d51
-
SHA512
e66f7ec2b479cb29dba17054b5c91879dcfc7823ab91e04ff6b82815aa83a1d21f98c47a1041d8c9c3bc0415350f528a24a4707fd4a35db9c2efe8cfd7134db9
-
SSDEEP
24576:jps9qfFGQMTWgfl/5FsrP8hSc3RhUS27MZk6WvU1uheeeCxT0BtGfZREm9ZP:ds9qFGQ8N/56YNhhUS2kkNo88CdoGfHP
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1740591210507.tmp" reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5116 java.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5116 wrote to memory of 4936 5116 java.exe 89 PID 5116 wrote to memory of 4936 5116 java.exe 89 PID 4936 wrote to memory of 4572 4936 cmd.exe 91 PID 4936 wrote to memory of 4572 4936 cmd.exe 91
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\FA-41-02-2025.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1740591210507.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1740591210507.tmp" /f3⤵
- Adds Run key to start application
PID:4572
-
-