6bc9a97dbce33fded1b203a6d758f4b18d9c5aba4340d142afb92d16e18cc5ab

Analysis

max time kernel
23s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2025, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.jar
Size

639KB
MD5

96cb7c121c63f94f22d4ebcf2627a27b
SHA1

5291d5ffe367e3f87da1d502e636f3f1c0d16a94
SHA256

6bc9a97dbce33fded1b203a6d758f4b18d9c5aba4340d142afb92d16e18cc5ab
SHA512

9ea69d671052bf61d7a64edaeb31ec151220dfa5c59f1d2a96ad03d8d5d50379864fba5895f77668520f399c8622d687b46b5e5d3027064d7be02fdbb0022ee6
SSDEEP

12288:OH3pQV/7z50j94t145c7g+/bR7+hvYNanygy5iRdM38us2BMSiNDkq:OHZQFJ0h4zT7g+1mCanTQB8uRBPiNDkq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1743842145874.tmp"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	java.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1020	2808	java.exe	90
PID 2808 wrote to memory of 1020	2808	java.exe	90
PID 2808 wrote to memory of 2472	2808	java.exe	92
PID 2808 wrote to memory of 2472	2808	java.exe	92
PID 2472 wrote to memory of 3512	2472	cmd.exe	94
PID 2472 wrote to memory of 3512	2472	cmd.exe	94
PID 2808 wrote to memory of 4212	2808	java.exe	105
PID 2808 wrote to memory of 4212	2808	java.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1020	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\client.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1743842145874.tmp
  2⤵
  - Views/modifies file attributes
  PID:1020
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1743842145874.tmp" /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1743842145874.tmp" /f
    3⤵
    - Adds Run key to start application
    PID:3512
- C:\Windows\SYSTEM32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Home
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1743842145874.tmp
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1743842145874.tmp

Filesize
639KB

MD5
96cb7c121c63f94f22d4ebcf2627a27b

SHA1
5291d5ffe367e3f87da1d502e636f3f1c0d16a94

SHA256
6bc9a97dbce33fded1b203a6d758f4b18d9c5aba4340d142afb92d16e18cc5ab

SHA512
9ea69d671052bf61d7a64edaeb31ec151220dfa5c59f1d2a96ad03d8d5d50379864fba5895f77668520f399c8622d687b46b5e5d3027064d7be02fdbb0022ee6

Download Submit
memory/2808-2-0x000001A600000000-0x000001A600270000-memory.dmp

Filesize
2.4MB

Download
memory/2808-14-0x000001A6746A0000-0x000001A6746A1000-memory.dmp

Filesize
4KB

Download
memory/2808-18-0x000001A600280000-0x000001A600290000-memory.dmp

Filesize
64KB

Download
memory/2808-17-0x000001A600270000-0x000001A600280000-memory.dmp

Filesize
64KB

Download
memory/2808-22-0x000001A6002A0000-0x000001A6002B0000-memory.dmp

Filesize
64KB

Download
memory/2808-21-0x000001A600290000-0x000001A6002A0000-memory.dmp

Filesize
64KB

Download
memory/2808-26-0x000001A6002C0000-0x000001A6002D0000-memory.dmp

Filesize
64KB

Download
memory/2808-25-0x000001A6002B0000-0x000001A6002C0000-memory.dmp

Filesize
64KB

Download
memory/2808-28-0x000001A6002D0000-0x000001A6002E0000-memory.dmp

Filesize
64KB

Download
memory/2808-31-0x000001A6002E0000-0x000001A6002F0000-memory.dmp

Filesize
64KB

Download
memory/2808-34-0x000001A6002F0000-0x000001A600300000-memory.dmp

Filesize
64KB

Download
memory/2808-33-0x000001A600000000-0x000001A600270000-memory.dmp

Filesize
2.4MB

Download
memory/2808-38-0x000001A600300000-0x000001A600310000-memory.dmp

Filesize
64KB

Download
memory/2808-43-0x000001A600310000-0x000001A600320000-memory.dmp

Filesize
64KB

Download
memory/2808-42-0x000001A600280000-0x000001A600290000-memory.dmp

Filesize
64KB

Download
memory/2808-41-0x000001A600270000-0x000001A600280000-memory.dmp

Filesize
64KB

Download
memory/2808-45-0x000001A600320000-0x000001A600330000-memory.dmp

Filesize
64KB

Download
memory/2808-47-0x000001A600290000-0x000001A6002A0000-memory.dmp

Filesize
64KB

Download
memory/2808-49-0x000001A600330000-0x000001A600340000-memory.dmp

Filesize
64KB

Download
memory/2808-48-0x000001A6002A0000-0x000001A6002B0000-memory.dmp

Filesize
64KB

Download
memory/2808-51-0x000001A600340000-0x000001A600350000-memory.dmp

Filesize
64KB

Download
memory/2808-53-0x000001A6002B0000-0x000001A6002C0000-memory.dmp

Filesize
64KB

Download
memory/2808-55-0x000001A600350000-0x000001A600360000-memory.dmp

Filesize
64KB

Download
memory/2808-54-0x000001A6002C0000-0x000001A6002D0000-memory.dmp

Filesize
64KB

Download
memory/2808-60-0x000001A6002D0000-0x000001A6002E0000-memory.dmp

Filesize
64KB

Download
memory/2808-59-0x000001A600370000-0x000001A600380000-memory.dmp

Filesize
64KB

Download
memory/2808-64-0x000001A600380000-0x000001A600390000-memory.dmp

Filesize
64KB

Download
memory/2808-63-0x000001A6002E0000-0x000001A6002F0000-memory.dmp

Filesize
64KB

Download
memory/2808-58-0x000001A600360000-0x000001A600370000-memory.dmp

Filesize
64KB

Download
memory/2808-66-0x000001A6002F0000-0x000001A600300000-memory.dmp

Filesize
64KB

Download
memory/2808-67-0x000001A600390000-0x000001A6003A0000-memory.dmp

Filesize
64KB

Download
memory/2808-70-0x000001A6746A0000-0x000001A6746A1000-memory.dmp

Filesize
4KB

Download
memory/2808-71-0x000001A600300000-0x000001A600310000-memory.dmp

Filesize
64KB

Download
memory/2808-72-0x000001A6003A0000-0x000001A6003B0000-memory.dmp

Filesize
64KB

Download
memory/2808-77-0x000001A6003B0000-0x000001A6003C0000-memory.dmp

Filesize
64KB

Download
memory/2808-76-0x000001A600310000-0x000001A600320000-memory.dmp

Filesize
64KB

Download
memory/2808-80-0x000001A6003C0000-0x000001A6003D0000-memory.dmp

Filesize
64KB

Download
memory/2808-79-0x000001A600320000-0x000001A600330000-memory.dmp

Filesize
64KB

Download
memory/2808-83-0x000001A6003D0000-0x000001A6003E0000-memory.dmp

Filesize
64KB

Download
memory/2808-82-0x000001A600330000-0x000001A600340000-memory.dmp

Filesize
64KB

Download
memory/2808-88-0x000001A6003F0000-0x000001A600400000-memory.dmp

Filesize
64KB

Download
memory/2808-89-0x000001A600350000-0x000001A600360000-memory.dmp

Filesize
64KB

Download
memory/2808-87-0x000001A6003E0000-0x000001A6003F0000-memory.dmp

Filesize
64KB

Download
memory/2808-86-0x000001A600340000-0x000001A600350000-memory.dmp

Filesize
64KB

Download
memory/2808-94-0x000001A600400000-0x000001A600410000-memory.dmp

Filesize
64KB

Download
memory/2808-93-0x000001A600370000-0x000001A600380000-memory.dmp

Filesize
64KB

Download
memory/2808-92-0x000001A600360000-0x000001A600370000-memory.dmp

Filesize
64KB

Download
memory/2808-96-0x000001A6746A0000-0x000001A6746A1000-memory.dmp

Filesize
4KB

Download
memory/2808-101-0x000001A600410000-0x000001A600420000-memory.dmp

Filesize
64KB

Download
memory/2808-100-0x000001A600380000-0x000001A600390000-memory.dmp

Filesize
64KB

Download
memory/2808-102-0x000001A6746A0000-0x000001A6746A1000-memory.dmp

Filesize
4KB

Download
memory/2808-104-0x000001A600390000-0x000001A6003A0000-memory.dmp

Filesize
64KB

Download
memory/2808-106-0x000001A6003A0000-0x000001A6003B0000-memory.dmp

Filesize
64KB

Download
memory/2808-107-0x000001A6003B0000-0x000001A6003C0000-memory.dmp

Filesize
64KB

Download
memory/2808-108-0x000001A6003C0000-0x000001A6003D0000-memory.dmp

Filesize
64KB

Download
memory/2808-109-0x000001A6003D0000-0x000001A6003E0000-memory.dmp

Filesize
64KB

Download
memory/2808-111-0x000001A6003F0000-0x000001A600400000-memory.dmp

Filesize
64KB

Download
memory/2808-110-0x000001A6003E0000-0x000001A6003F0000-memory.dmp

Filesize
64KB

Download
memory/2808-113-0x000001A600400000-0x000001A600410000-memory.dmp

Filesize
64KB

Download
memory/2808-115-0x000001A600420000-0x000001A600430000-memory.dmp

Filesize
64KB

Download
memory/2808-114-0x000001A600410000-0x000001A600420000-memory.dmp

Filesize
64KB

Download
memory/2808-116-0x000001A6746A0000-0x000001A6746A1000-memory.dmp

Filesize
4KB

Download
memory/2808-117-0x000001A600420000-0x000001A600430000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads