Overview

overview

10

Static

static

10

output.jar

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    output.jar

  • Size

    639KB

  • MD5

    4c6e6158af0e9f0e10550fa35032bbca

  • SHA1

    d067e895675378336dad950834445976741dfc83

  • SHA256

    9484f1076d17a61f82a65ced4e62b00f7599fb70bc6459379989f23c08722d38

  • SHA512

    e23187befc0ece03fb1e958a334ae6633e73476067a4eec8413bd7cf718d60a029bdd5286cf17f91a867cfd4268ebff48ba37f87f8960300c07f8cbc952598ae

  • SSDEEP

    12288:4/7TQf/x1DSF54tP0TaTgu/7R3+tdQNGrwgSpGR323ouk2xkSslD8M:4/vQnvSP4lrTgu1OAGrd4hou5x3slD8M

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\output.jar
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:1728
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719864166749.tmp
      2⤵
      • Views/modifies file attributes
      PID:3040
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719864166749.tmp" /f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\system32\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719864166749.tmp" /f
        3⤵
        • Adds Run key to start application
        PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

1
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    2a668831589c361b8409062efcd86a88

    SHA1

    f43099122b7945a6a9b97229ebef4577a7075925

    SHA256

    1fcc52159d2c4e1d62d5957c7b0064495b4044b8f8a5536025e6fe084fe8e4a4

    SHA512

    a39c5ea913938a8c11915ea3618e8fa00db891a524c331eb8b509903f0f19026dcc8790be0b21ef3c0470867971da7987fe3a7f951de10641697365b0c217b4a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719864166749.tmp
    Filesize

    639KB

    MD5

    4c6e6158af0e9f0e10550fa35032bbca

    SHA1

    d067e895675378336dad950834445976741dfc83

    SHA256

    9484f1076d17a61f82a65ced4e62b00f7599fb70bc6459379989f23c08722d38

    SHA512

    e23187befc0ece03fb1e958a334ae6633e73476067a4eec8413bd7cf718d60a029bdd5286cf17f91a867cfd4268ebff48ba37f87f8960300c07f8cbc952598ae

    Download Submit
  • memory/2160-39-0x0000028CDC8C0000-0x0000028CDCB30000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/2160-20-0x0000028CDCB50000-0x0000028CDCB60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-41-0x0000028CDCB30000-0x0000028CDCB40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-42-0x0000028CDCB40000-0x0000028CDCB50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-29-0x0000028CDCB90000-0x0000028CDCBA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-27-0x0000028CDCB70000-0x0000028CDCB80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-36-0x0000028CDCBB0000-0x0000028CDCBC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-16-0x0000028CDCB30000-0x0000028CDCB40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-32-0x0000028CDCBA0000-0x0000028CDCBB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-26-0x0000028CDCB80000-0x0000028CDCB90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-25-0x0000028CDCB60000-0x0000028CDCB70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-38-0x0000028CDAE90000-0x0000028CDAE91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2160-56-0x0000028CDCBD0000-0x0000028CDCBE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-18-0x0000028CDCB40000-0x0000028CDCB50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-22-0x0000028CDAE90000-0x0000028CDAE91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2160-43-0x0000028CDCB50000-0x0000028CDCB60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-44-0x0000028CDCB60000-0x0000028CDCB70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-45-0x0000028CDCB80000-0x0000028CDCB90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-46-0x0000028CDCB70000-0x0000028CDCB80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-47-0x0000028CDCB90000-0x0000028CDCBA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-51-0x0000028CDCBC0000-0x0000028CDCBD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-50-0x0000028CDCBA0000-0x0000028CDCBB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-52-0x0000028CDAE90000-0x0000028CDAE91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2160-53-0x0000028CDCBB0000-0x0000028CDCBC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-55-0x0000028CDCBC0000-0x0000028CDCBD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-2-0x0000028CDC8C0000-0x0000028CDCB30000-memory.dmp
    Filesize

    2.4MB

    Download