Analysis
-
max time kernel
38s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2025, 10:28
Behavioral task
behavioral1
Sample
SoulLoader2.1.1.jar
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
SoulLoader2.1.1.jar
Resource
win10v2004-20250217-en
General
-
Target
SoulLoader2.1.1.jar
-
Size
2.3MB
-
MD5
1f9cdc5f45cde954f4a387f18ab1f2c8
-
SHA1
cd328e048fca92cc5ca996099d8b69f1859b550b
-
SHA256
bf946b4968590e96483a904487e1e4acc996f6498960d87b7c6a36f08e1669bf
-
SHA512
642ad6d022d5b76719f02741b897189187cf7cb16437cbb62fc15b06e92da3b25b9d695c861e731e10ef4a233a8cf25e42d6e3688871b073875afa0ca7cffdc2
-
SSDEEP
49152:iNQZNAte41nAyuDuMBiqqMoHlD/WvV8tSwgUTu38Ljd:iOZ941v0uMBFqbee1gwTLJ
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1740824945454.tmp" reg.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4280 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4280 wrote to memory of 536 4280 java.exe 91 PID 4280 wrote to memory of 536 4280 java.exe 91 PID 4280 wrote to memory of 3252 4280 java.exe 93 PID 4280 wrote to memory of 3252 4280 java.exe 93 PID 3252 wrote to memory of 4752 3252 cmd.exe 95 PID 3252 wrote to memory of 4752 3252 cmd.exe 95 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 536 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\SoulLoader2.1.1.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1740824945454.tmp2⤵
- Views/modifies file attributes
PID:536
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1740824945454.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1740824945454.tmp" /f3⤵
- Adds Run key to start application
PID:4752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD51f9cdc5f45cde954f4a387f18ab1f2c8
SHA1cd328e048fca92cc5ca996099d8b69f1859b550b
SHA256bf946b4968590e96483a904487e1e4acc996f6498960d87b7c6a36f08e1669bf
SHA512642ad6d022d5b76719f02741b897189187cf7cb16437cbb62fc15b06e92da3b25b9d695c861e731e10ef4a233a8cf25e42d6e3688871b073875afa0ca7cffdc2