eb76c8ea9c1857530e537b318eeac0781f7bbc68ad9e0152bcb2db5a8af71d97

General

Target

fattura.jar
Size

222KB
MD5

9f4c61b914d5174226a6591f9e9a2a48
SHA1

558fa0ea8e2ea1c3c6b618789a88081eebeeab4c
SHA256

eb76c8ea9c1857530e537b318eeac0781f7bbc68ad9e0152bcb2db5a8af71d97
SHA512

f433da3b79fdd9f135094fc546988f81f535793a01b3b73803d7ed5f9b6e6eaacc685ee50e73ff7e3c066deeab7208ff64b55e7a5bc704966f8820b6a8dd81fc

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

java.exewscript.execmd.exeWScript.exe

description	pid	process	target process
PID 676 wrote to memory of 1036	676	java.exe	wscript.exe
PID 676 wrote to memory of 1036	676	java.exe	wscript.exe
PID 676 wrote to memory of 1036	676	java.exe	wscript.exe
PID 1036 wrote to memory of 1376	1036	wscript.exe	powershell.exe
PID 1036 wrote to memory of 1376	1036	wscript.exe	powershell.exe
PID 1036 wrote to memory of 1376	1036	wscript.exe	powershell.exe
PID 1036 wrote to memory of 1828	1036	wscript.exe	WScript.exe
PID 1036 wrote to memory of 1828	1036	wscript.exe	WScript.exe
PID 1036 wrote to memory of 1828	1036	wscript.exe	WScript.exe
PID 1036 wrote to memory of 1848	1036	wscript.exe	cmd.exe
PID 1036 wrote to memory of 1848	1036	wscript.exe	cmd.exe
PID 1036 wrote to memory of 1848	1036	wscript.exe	cmd.exe
PID 1848 wrote to memory of 1892	1848	cmd.exe	javaw.exe
PID 1848 wrote to memory of 1892	1848	cmd.exe	javaw.exe
PID 1848 wrote to memory of 1892	1848	cmd.exe	javaw.exe
PID 1036 wrote to memory of 468	1036	wscript.exe	javaw.exe
PID 1036 wrote to memory of 468	1036	wscript.exe	javaw.exe
PID 1036 wrote to memory of 468	1036	wscript.exe	javaw.exe
PID 1828 wrote to memory of 1580	1828	WScript.exe	powershell.exe
PID 1828 wrote to memory of 1580	1828	WScript.exe	powershell.exe
PID 1828 wrote to memory of 1580	1828	WScript.exe	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1376 powershell.exe
Token: SeDebugPrivilege 1580 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1376 powershell.exe
1376 powershell.exe
1580 powershell.exe
1580 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe

pid	process
1376	powershell.exe
1376	powershell.exe
1580	powershell.exe
1580	powershell.exe

Blacklisted process makes network request 25 IoCs

Processes:

WScript.exe

flow	pid	process
4	1828	WScript.exe
5	1828	WScript.exe
8	1828	WScript.exe
10	1828	WScript.exe
11	1828	WScript.exe
12	1828	WScript.exe
14	1828	WScript.exe
15	1828	WScript.exe
16	1828	WScript.exe
18	1828	WScript.exe
19	1828	WScript.exe
20	1828	WScript.exe
22	1828	WScript.exe
23	1828	WScript.exe
24	1828	WScript.exe
26	1828	WScript.exe
27	1828	WScript.exe
28	1828	WScript.exe
30	1828	WScript.exe
31	1828	WScript.exe
32	1828	WScript.exe
34	1828	WScript.exe
35	1828	WScript.exe
36	1828	WScript.exe
38	1828	WScript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

javaw.exe

pid process

468 javaw.exe

pid	process
468	javaw.exe

Adds Run entry to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\tDHMhQUaqL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tDHMhQUaqL.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tDHMhQUaqL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tDHMhQUaqL.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\software\microsoft\windows\currentversion\run	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDHMhQUaqL.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDHMhQUaqL.vbs	WScript.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\bjzxzjbyqj.vbs
2⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!&','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tDHMhQUaqL.vbs"
3⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Adds Run entry to start application
- Drops startup file
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!&','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -version
4⤵
PID:1892

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Download Submit
C:\Users\Admin\AppData\Roaming\tDHMhQUaqL.vbs

Download Submit
C:\Users\Admin\bjzxzjbyqj.vbs

Download Submit
memory/468-10-0x0000000000000000-mapping.dmp

Download
memory/1036-1-0x0000000000000000-mapping.dmp

Download
memory/1036-13-0x0000000002660000-0x0000000002664000-memory.dmp

Filesize
16KB

Download
memory/1376-3-0x0000000000000000-mapping.dmp

Download
memory/1580-14-0x0000000000000000-mapping.dmp

Download
memory/1828-4-0x0000000000000000-mapping.dmp

Download
memory/1848-6-0x0000000000000000-mapping.dmp

Download
memory/1892-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads