Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2025, 12:47
Behavioral task
behavioral1
Sample
SoulLoader2.1.1-fix.jar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SoulLoader2.1.1-fix.jar
Resource
win10v2004-20250217-en
General
-
Target
SoulLoader2.1.1-fix.jar
-
Size
2.5MB
-
MD5
bc0b8f3baa70ce0ddd26603de8c0ce85
-
SHA1
5d4d9fbb1415c3bcbf0fcbfed53baf748780f6f8
-
SHA256
4bb33174d50928522e355c96d61b6508a436309c984fb839f6c7cf53c66403d9
-
SHA512
5d036b4382a98eb99eecfcfa56b3eb879d91c7592bd2fae962e7ecf15cd22e7e34ed8452c98b7cff1def654df37635ab6058dbdc67ff64b8dcc5d2207b46f10c
-
SSDEEP
49152:IDQrDuHYsHJgaub4h2c1n9wAW5QfAVz8ozBhGPLwjIQgqynlFllNps8Vuc:IsrlsH5E4h2c1TWVoIhkDQg5nlV
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1740833240939.tmp" reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1564 cmd.exe 208 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 208 PING.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1592 java.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1592 wrote to memory of 4576 1592 java.exe 89 PID 1592 wrote to memory of 4576 1592 java.exe 89 PID 1592 wrote to memory of 4020 1592 java.exe 91 PID 1592 wrote to memory of 4020 1592 java.exe 91 PID 4020 wrote to memory of 3412 4020 cmd.exe 93 PID 4020 wrote to memory of 3412 4020 cmd.exe 93 PID 1592 wrote to memory of 3460 1592 java.exe 117 PID 1592 wrote to memory of 3460 1592 java.exe 117 PID 3460 wrote to memory of 664 3460 cmd.exe 119 PID 3460 wrote to memory of 664 3460 cmd.exe 119 PID 1592 wrote to memory of 1564 1592 java.exe 120 PID 1592 wrote to memory of 1564 1592 java.exe 120 PID 1564 wrote to memory of 208 1564 cmd.exe 122 PID 1564 wrote to memory of 208 1564 cmd.exe 122 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4576 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\SoulLoader2.1.1-fix.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1740833240939.tmp2⤵
- Views/modifies file attributes
PID:4576
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1740833240939.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1740833240939.tmp" /f3⤵
- Adds Run key to start application
PID:3412
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f3⤵PID:664
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c ping localhost -n 6 > nul && del C:\Users\Admin\AppData\Local\Temp\SoulLoader2.1.1-fix.jar2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\PING.EXEping localhost -n 63⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:208
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5bc0b8f3baa70ce0ddd26603de8c0ce85
SHA15d4d9fbb1415c3bcbf0fcbfed53baf748780f6f8
SHA2564bb33174d50928522e355c96d61b6508a436309c984fb839f6c7cf53c66403d9
SHA5125d036b4382a98eb99eecfcfa56b3eb879d91c7592bd2fae962e7ecf15cd22e7e34ed8452c98b7cff1def654df37635ab6058dbdc67ff64b8dcc5d2207b46f10c