Analysis
-
max time kernel
436s -
max time network
437s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2025, 13:15
Behavioral task
behavioral1
Sample
ModsServer.jar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ModsServer.jar
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
ModsServer.jar
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral4
Sample
ModsServer.jar
Resource
win11-20250217-en
General
-
Target
ModsServer.jar
-
Size
1.3MB
-
MD5
f38e0eab88e56059de4fce3ed36a648b
-
SHA1
ab6385e207b6c7cdedcf7c5171e5e6078ec8f083
-
SHA256
81bc6373b72bd2222078888eddd62afa82e4e6576f0954f57b8898f7fcf90c21
-
SHA512
48c789ef706f5fd115d1eb717ea4d99980a8092b28db5509271d4fc96a6b16c1ddc9ed406c18f765b53670c0b53c4aa1f1a50fb50c0301eb6f087761da332840
-
SSDEEP
24576:FX8Q4w/S4e3XgQPmNy9SiH2uZ1H/zDAbBau5yhsxSiB+YTAECBcz8fdG9i6p5hTP:V8Q4w/SrgW0iWuX/pu5ZTApBBfdGTPz
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1741612620477.tmp" reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 320 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 320 wrote to memory of 3944 320 java.exe 89 PID 320 wrote to memory of 3944 320 java.exe 89 PID 320 wrote to memory of 2448 320 java.exe 91 PID 320 wrote to memory of 2448 320 java.exe 91 PID 2448 wrote to memory of 1216 2448 cmd.exe 93 PID 2448 wrote to memory of 1216 2448 cmd.exe 93 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3944 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\ModsServer.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741612620477.tmp2⤵
- Views/modifies file attributes
PID:3944
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741612620477.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741612620477.tmp" /f3⤵
- Adds Run key to start application
PID:1216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD57ceec42a0a4baf7454614b029d79c9ac
SHA1ba1a027cb18ba1d4007878be194fd54f2ac82a51
SHA25657a5079393cac2fb9f3c1344d4b05a9a97614dd700efe6db560d221416d6bc35
SHA512f6cd6a2e829535a4a8d94e84d3063bdd93a227c9e889009b6c506a4dc880a2194971592316d22c4dd470cc63a5f5a2c54b143a2180d800020972bde43c36ffde
-
Filesize
1.3MB
MD5f38e0eab88e56059de4fce3ed36a648b
SHA1ab6385e207b6c7cdedcf7c5171e5e6078ec8f083
SHA25681bc6373b72bd2222078888eddd62afa82e4e6576f0954f57b8898f7fcf90c21
SHA51248c789ef706f5fd115d1eb717ea4d99980a8092b28db5509271d4fc96a6b16c1ddc9ed406c18f765b53670c0b53c4aa1f1a50fb50c0301eb6f087761da332840