Analysis
-
max time kernel
138s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
javs.exe
Resource
win7-20240903-en
General
-
Target
javs.exe
-
Size
645KB
-
MD5
b7f4ecc258e5795b93cf4c8239d80cae
-
SHA1
457b52c2e260527ec6a648cac7b5170125f8952a
-
SHA256
f5f915bab2da6d58e9c07823cd89594f631425a041cd2e642b5f1a64ca23203e
-
SHA512
94578f60c1d5b0ca637047a52df3109c1233f8a9a790640af245cef59c74b5f8a0eb988b917fbdb3f1822ac339cea2e3679db06e3babca8e3455ea7681120fc0
-
SSDEEP
12288:upcJsqHRb0bgiB+/iVWRTPwbmA20i4o+nsltXS879jKVoMNug9Szi:upcJsobEg4vVWRjwbmAS47nsP79jioVr
Malware Config
Signatures
-
Hawkeye family
-
Detected Nirsoft tools 12 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/3008-83-0x0000000000070000-0x00000000000F4000-memory.dmp Nirsoft behavioral1/memory/3008-80-0x0000000000070000-0x00000000000F4000-memory.dmp Nirsoft behavioral1/memory/3008-91-0x0000000000070000-0x00000000000F4000-memory.dmp Nirsoft behavioral1/memory/3008-94-0x0000000000070000-0x00000000000F4000-memory.dmp Nirsoft behavioral1/memory/3008-87-0x0000000000070000-0x00000000000F4000-memory.dmp Nirsoft behavioral1/memory/3008-77-0x0000000000070000-0x00000000000F4000-memory.dmp Nirsoft behavioral1/memory/2820-102-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2820-101-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2820-106-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2992-107-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2992-108-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2992-113-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 9 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/3008-83-0x0000000000070000-0x00000000000F4000-memory.dmp MailPassView behavioral1/memory/3008-80-0x0000000000070000-0x00000000000F4000-memory.dmp MailPassView behavioral1/memory/3008-91-0x0000000000070000-0x00000000000F4000-memory.dmp MailPassView behavioral1/memory/3008-94-0x0000000000070000-0x00000000000F4000-memory.dmp MailPassView behavioral1/memory/3008-87-0x0000000000070000-0x00000000000F4000-memory.dmp MailPassView behavioral1/memory/3008-77-0x0000000000070000-0x00000000000F4000-memory.dmp MailPassView behavioral1/memory/2820-102-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2820-101-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2820-106-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/3008-83-0x0000000000070000-0x00000000000F4000-memory.dmp WebBrowserPassView behavioral1/memory/3008-80-0x0000000000070000-0x00000000000F4000-memory.dmp WebBrowserPassView behavioral1/memory/3008-91-0x0000000000070000-0x00000000000F4000-memory.dmp WebBrowserPassView behavioral1/memory/3008-94-0x0000000000070000-0x00000000000F4000-memory.dmp WebBrowserPassView behavioral1/memory/3008-87-0x0000000000070000-0x00000000000F4000-memory.dmp WebBrowserPassView behavioral1/memory/3008-77-0x0000000000070000-0x00000000000F4000-memory.dmp WebBrowserPassView behavioral1/memory/2992-107-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2992-108-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2992-113-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1568 set thread context of 3008 1568 javs.exe 33 PID 3008 set thread context of 2820 3008 javs.exe 35 PID 3008 set thread context of 2992 3008 javs.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Modifies system certificate store 2 TTPs 4 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 javs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 javs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 javs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 javs.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2464 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2992 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3008 javs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3008 javs.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2464 1568 javs.exe 31 PID 1568 wrote to memory of 2464 1568 javs.exe 31 PID 1568 wrote to memory of 2464 1568 javs.exe 31 PID 1568 wrote to memory of 2464 1568 javs.exe 31 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 1568 wrote to memory of 3008 1568 javs.exe 33 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2820 3008 javs.exe 35 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36 PID 3008 wrote to memory of 2992 3008 javs.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\javs.exe"C:\Users\Admin\AppData\Local\Temp\javs.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Cpudll" /XML "C:\Users\Admin\AppData\Local\Temp\z918"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\javs.exe"C:\Users\Admin\AppData\Local\Temp\javs.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD564076606366e2389c005489c6dedde70
SHA19ca182300ef87d00de826df5bf1a3f3681d50560
SHA25652fcf961861b193b2bd09b5dcd9dbda7262513fefc2368be288a80cd1f6bda62
SHA512786210a9c432fea768f7c4f39b22a5fce88de1c118e807acb1d9524bf1ed5bfc1f7da46a8ff2b660b94aab0481261179721f266ea6698821d33eb2e0dce4402d
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD56c0d4f822cd55c9893467862bb9bea2e
SHA159599278bd7e95cdb38dc37712fdb852e5ac6f94
SHA256126dc6c9086a952fbd192ab80342d148dd1d392a610a3986cf9bc30aad2c9dc1
SHA51219f398f736a1dcf2506a7014087981f98aada19ef914e771ca8a62ba6b9c549c0de4dedb70b9531c2e29addf4c6e3333d9a36827ac928bf6c21ed9b64bf07f98