Analysis
-
max time kernel
94s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2025, 13:43
Behavioral task
behavioral1
Sample
ModsServer.jar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ModsServer.jar
Resource
win10v2004-20250217-en
General
-
Target
ModsServer.jar
-
Size
1.3MB
-
MD5
f38e0eab88e56059de4fce3ed36a648b
-
SHA1
ab6385e207b6c7cdedcf7c5171e5e6078ec8f083
-
SHA256
81bc6373b72bd2222078888eddd62afa82e4e6576f0954f57b8898f7fcf90c21
-
SHA512
48c789ef706f5fd115d1eb717ea4d99980a8092b28db5509271d4fc96a6b16c1ddc9ed406c18f765b53670c0b53c4aa1f1a50fb50c0301eb6f087761da332840
-
SSDEEP
24576:FX8Q4w/S4e3XgQPmNy9SiH2uZ1H/zDAbBau5yhsxSiB+YTAECBcz8fdG9i6p5hTP:V8Q4w/SrgW0iWuX/pu5ZTApBBfdGTPz
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1741614199918.tmp" reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3444 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3444 wrote to memory of 4928 3444 java.exe 87 PID 3444 wrote to memory of 4928 3444 java.exe 87 PID 3444 wrote to memory of 736 3444 java.exe 89 PID 3444 wrote to memory of 736 3444 java.exe 89 PID 736 wrote to memory of 264 736 cmd.exe 91 PID 736 wrote to memory of 264 736 cmd.exe 91 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4928 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\ModsServer.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741614199918.tmp2⤵
- Views/modifies file attributes
PID:4928
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741614199918.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741614199918.tmp" /f3⤵
- Adds Run key to start application
PID:264
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5ef710b3e6b8b745160307b3816b60afa
SHA17ffedd853d7dec31acb7eea55fc6ccd9aa7c1361
SHA256941cc1df4fa0a9f3230dee66ec38a7462005ea26861f28d92f5a61026b3fbff6
SHA51213479aa06caf419e9a8e1901e8bfc3a514c4547317e8c695cf221bb76f9745c2f962a05cf3cb9b57615d85d7b8eac4c58151b711c566230d1185244fb73bf701
-
Filesize
73KB
MD55b88bbaa9e9a11639db689e7499203ee
SHA1105032c32cc21007070f391b550dac54240fd152
SHA256e6ee0945f3bd7ef4bdb58715ee0503e22a37112ae8e32eb6d10cbe814d333b26
SHA512a71511f38b70acfbc2df763a0d52a90caf46d855fb349d361a1d22e49407d29a2d9f53bbb14c79f356eabde012b060d0400582a2e7e2890dc3f968bcc8ea9af1
-
Filesize
67KB
MD599dec77e98fd65286f8d420c58e78f81
SHA1de058f27dbf297fcd77b8c14b5a9c1170d693e3a
SHA2560a6dd1c4e36e6f7404ee933a2274fa4beca8c629fe8b795a0a2e5762896f6515
SHA512ccc6a8af0879dac503e8207ff1d8905e90eb98dc63c113cc3835f412da1655fbd6871d0702894078c48a2d506f1372355df46ca267f1dbfc122018b154c57910
-
Filesize
35KB
MD5928ee6e4204ae136ad402affbc9970b8
SHA19886a8129bba970652e5fb99e0f188c17bb249ff
SHA2562cfa6ca51f8faddc0a2370d89b550cc976885b671041bdbaad39845d69fce6ce
SHA512bd155d84ad9462b3d2b98f1cd8f05089e042f9199a9793c7b2aa2b7e92ff1d412ecd6ee1b61fcbd3c435a70ba7c12508de8b825bdb9b90b30a493756c2488494
-
Filesize
31KB
MD52617f571f6124abb0397b1e1c8c194dc
SHA187634edce1c6118696103fb88b25df21b918e86e
SHA25674091a822ab959104f9e8ea8d683ca4ea7f2825b2d5f50ce6ddf605e109289c3
SHA5128d246fc50dff2e3cde3362933485e5126fd9ec48f67432490a13b271f97589d789cf207b231f9f9bf86431f28c2b4c5818c7b4232d27b1e5e6da62420057ff5a
-
Filesize
73KB
MD582f93f959da1ba77dcc075c9bd0e9ed5
SHA18ae1775d7fb17fd1f8ea48c130acf5334664ff13
SHA256fc827069e94f20561be2f3bf9361085a4f30ad11a6255e9f8a60cc3fe5a42499
SHA512565b30741505fc201c24424b7d64c3b10da5947410b15d92a203a22ecc03060c764abce1c9610567edca924a048bffaaacb8f5389dec6833a375afb075f5b60c
-
Filesize
62KB
MD560b2ce3297d313c8bf9f55422ebb20ed
SHA14f5d83c3f8a3e7f475da6350edb33a2032f6701e
SHA2564e93f589cdd30f6e32b4de6a8aba431f6bcc920d381a1a674148d09e017c95e3
SHA512f2e0a25dce065f7206a2849466a8270bdae11a8352b9dda1a8395a056ef407fa33de3e2b6b3a24d49f594ac7b1c1c6dee760e4eeb2726e598608113d4967de31
-
Filesize
64KB
MD555af3ad5dd3f5f74604fd4ab5c4a211c
SHA15658fbad7bb759828806f6f2bcf82e7b15477743
SHA256135a3bfac2535b1b03a8dd85434ed9b55a898008a1d32d1c2fb250144988e438
SHA512426c1aed68135d1117b2d9f382d7512a5a7c1f7460f88a8bac43a722906fd65b194f857b139a2a0629b1fa6c74046a737dd95c54754298b8809595cf07663a40
-
Filesize
1.3MB
MD5f38e0eab88e56059de4fce3ed36a648b
SHA1ab6385e207b6c7cdedcf7c5171e5e6078ec8f083
SHA25681bc6373b72bd2222078888eddd62afa82e4e6576f0954f57b8898f7fcf90c21
SHA51248c789ef706f5fd115d1eb717ea4d99980a8092b28db5509271d4fc96a6b16c1ddc9ed406c18f765b53670c0b53c4aa1f1a50fb50c0301eb6f087761da332840