Analysis
-
max time kernel
438s -
max time network
439s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/03/2025, 13:15
Behavioral task
behavioral1
Sample
ModsServer.jar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ModsServer.jar
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
ModsServer.jar
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral4
Sample
ModsServer.jar
Resource
win11-20250217-en
General
-
Target
ModsServer.jar
-
Size
1.3MB
-
MD5
f38e0eab88e56059de4fce3ed36a648b
-
SHA1
ab6385e207b6c7cdedcf7c5171e5e6078ec8f083
-
SHA256
81bc6373b72bd2222078888eddd62afa82e4e6576f0954f57b8898f7fcf90c21
-
SHA512
48c789ef706f5fd115d1eb717ea4d99980a8092b28db5509271d4fc96a6b16c1ddc9ed406c18f765b53670c0b53c4aa1f1a50fb50c0301eb6f087761da332840
-
SSDEEP
24576:FX8Q4w/S4e3XgQPmNy9SiH2uZ1H/zDAbBau5yhsxSiB+YTAECBcz8fdG9i6p5hTP:V8Q4w/SrgW0iWuX/pu5ZTApBBfdGTPz
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1741612620754.tmp" reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2648 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2648 wrote to memory of 5144 2648 java.exe 83 PID 2648 wrote to memory of 5144 2648 java.exe 83 PID 2648 wrote to memory of 3344 2648 java.exe 85 PID 2648 wrote to memory of 3344 2648 java.exe 85 PID 3344 wrote to memory of 4800 3344 cmd.exe 87 PID 3344 wrote to memory of 4800 3344 cmd.exe 87 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5144 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\ModsServer.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741612620754.tmp2⤵
- Views/modifies file attributes
PID:5144
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741612620754.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1741612620754.tmp" /f3⤵
- Adds Run key to start application
PID:4800
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD541930621ce6c64a46d2a5706fc07d5f6
SHA1ac20d6f9bb24d08fd311b57a0dc86a81c8cf0180
SHA2563c1dbbddca623f56905cf0ce740b0f19edcf72ab98ff913c250890f9863d8852
SHA51276773754ddd4554302e4af46b3476e5e8168f6200f5037afde92c4f6ee3f4d63e4103cf3c0a1acbf53d25593463d17f2e76ab6a6c40678011fae3b03c8e8732e
-
Filesize
52KB
MD56472fa767f857cf28e44bb8511887013
SHA10a4f1cd554080066e6fc7d796d1c8bb2090cce7c
SHA2565de17c6b1f7d759e7cdd29f35664076b0d5fb75e02e92f3e43f7bf5d789adad7
SHA512071f8c47005a3e5f33664fdb82f757b4e1464e0cec9934481a17546a1953a16b38333dbc57efc9bfa4a3987057dfd9b6583c43ce5abcccf85a85aa357a40ec86
-
Filesize
50KB
MD5004b3314b37dfda494a557e83d20ff78
SHA17f1331f4b16bda161372cb0b93ab563466056156
SHA256908163ecb6f632ffe3a9436856c99e9efb1f1818b158e5779fa21d00437f2cf4
SHA5121e8a606d1267299d07083b2d421398d59c14c42582d4741f98d2a2080bce6e7b6caa87fc5450bd68fae6647819ad604d1ed1761ef3c1d760206029fdbd296565
-
Filesize
25KB
MD5ff05c0ad3462fc2455c2ae969e9c0945
SHA1a6bd179a98b81597431846d707782f1e565a862d
SHA256a517ebcba63ed0853cb521c0217f56505a842142a930fde187a692b7cda4c1b9
SHA512117a45ee1e58f5512f198901dd29fde8849b92269cdac839bcfa6f0581b9c08c12553e261649e5af2d78ca1eb1fea0e7d8da83186fbdae784ccc403e7099e013
-
Filesize
52KB
MD505b6d5545c13ebe9220f6374f8eaf1a9
SHA1de24a128d12df1873886eb1e4f5b623fd984eb19
SHA2561127ceac4af37289498eb854dd155fa75a97e913ef1426b716da001958bb26e6
SHA512fdb3226959c17c7e27ab4f58562fea780568369e68f4f688532e4964cd0c41f3af49dda6bd4f8ff785ae1e9cb523b6c61668639b9c83644ba47b625abdfbdf4f
-
Filesize
28KB
MD51f0f9fd481cb0fb43f0a88479a1457d1
SHA112879de6c3119695d27f5d02e35c63564ed4220b
SHA2566584c431418996f202c0bf43a6c46d5c587967b1a3449bad60b443ee033ccd34
SHA512ec78cd8200e51dc185c1232d993096987d92337c2064e9c10cbbab705ef1b6b02c6515f4860c17acf39eab9eacf00fedb617bfecd9875aee78a7c5fb026b5ca0
-
Filesize
1.3MB
MD5f38e0eab88e56059de4fce3ed36a648b
SHA1ab6385e207b6c7cdedcf7c5171e5e6078ec8f083
SHA25681bc6373b72bd2222078888eddd62afa82e4e6576f0954f57b8898f7fcf90c21
SHA51248c789ef706f5fd115d1eb717ea4d99980a8092b28db5509271d4fc96a6b16c1ddc9ed406c18f765b53670c0b53c4aa1f1a50fb50c0301eb6f087761da332840