Analysis
-
max time kernel
63s -
max time network
135s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 12:18
Static task
static1
Behavioral task
behavioral1
Sample
41b697071796cd939294fab1fb9a40e2.jar
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
41b697071796cd939294fab1fb9a40e2.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
41b697071796cd939294fab1fb9a40e2.jar
-
Size
405KB
-
MD5
41b697071796cd939294fab1fb9a40e2
-
SHA1
c9159d9a726a512ca1d183ceabcda0d424c2949d
-
SHA256
e692c0ca92af826d8e9678a29b69fe6a3a88a0d704fd84f4ef39a2b9f971714e
-
SHA512
a9874889f9295694bb700922b72a94706032f168b442b8ec48ae82d9c6f1d7a60e956a8ecfea09d506be6aedc50d0b2874aeecb00df5511e25825fc0cb83f2af
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
java.exepid process 976 java.exe -
Drops file in System32 directory 2 IoCs
Processes:
java.exedescription ioc process File created C:\Windows\System32\uycJf java.exe File opened for modification C:\Windows\System32\uycJf java.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1500 attrib.exe 1020 attrib.exe 3632 attrib.exe 1728 attrib.exe 1644 attrib.exe 1756 attrib.exe 968 attrib.exe 1228 attrib.exe -
Adds Run entry to start application 2 TTPs 4 IoCs
Processes:
java.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\uqBrkMc = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\udFoQ\\uGGbQ.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uqBrkMc = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\udFoQ\\uGGbQ.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
java.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\udFoQ\Desktop.ini java.exe File created C:\Users\Admin\udFoQ\Desktop.ini java.exe File opened for modification C:\Users\Admin\udFoQ\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\udFoQ\Desktop.ini attrib.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 976 java.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
java.execmd.execmd.execmd.exedescription pid process target process PID 976 wrote to memory of 1768 976 java.exe cmd.exe PID 976 wrote to memory of 1768 976 java.exe cmd.exe PID 976 wrote to memory of 3980 976 java.exe cmd.exe PID 976 wrote to memory of 3980 976 java.exe cmd.exe PID 3980 wrote to memory of 3252 3980 cmd.exe WMIC.exe PID 3980 wrote to memory of 3252 3980 cmd.exe WMIC.exe PID 976 wrote to memory of 632 976 java.exe cmd.exe PID 976 wrote to memory of 632 976 java.exe cmd.exe PID 632 wrote to memory of 912 632 cmd.exe WMIC.exe PID 632 wrote to memory of 912 632 cmd.exe WMIC.exe PID 976 wrote to memory of 968 976 java.exe attrib.exe PID 976 wrote to memory of 968 976 java.exe attrib.exe PID 976 wrote to memory of 1228 976 java.exe attrib.exe PID 976 wrote to memory of 1228 976 java.exe attrib.exe PID 976 wrote to memory of 1500 976 java.exe attrib.exe PID 976 wrote to memory of 1500 976 java.exe attrib.exe PID 976 wrote to memory of 1020 976 java.exe attrib.exe PID 976 wrote to memory of 1020 976 java.exe attrib.exe PID 976 wrote to memory of 3632 976 java.exe attrib.exe PID 976 wrote to memory of 3632 976 java.exe attrib.exe PID 976 wrote to memory of 1728 976 java.exe attrib.exe PID 976 wrote to memory of 1728 976 java.exe attrib.exe PID 976 wrote to memory of 1644 976 java.exe attrib.exe PID 976 wrote to memory of 1644 976 java.exe attrib.exe PID 976 wrote to memory of 1756 976 java.exe attrib.exe PID 976 wrote to memory of 1756 976 java.exe attrib.exe PID 976 wrote to memory of 2184 976 java.exe cmd.exe PID 976 wrote to memory of 2184 976 java.exe cmd.exe PID 2184 wrote to memory of 2828 2184 cmd.exe WMIC.exe PID 2184 wrote to memory of 2828 2184 cmd.exe WMIC.exe -
Suspicious use of AdjustPrivilegeToken 126 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3252 WMIC.exe Token: SeSecurityPrivilege 3252 WMIC.exe Token: SeTakeOwnershipPrivilege 3252 WMIC.exe Token: SeLoadDriverPrivilege 3252 WMIC.exe Token: SeSystemProfilePrivilege 3252 WMIC.exe Token: SeSystemtimePrivilege 3252 WMIC.exe Token: SeProfSingleProcessPrivilege 3252 WMIC.exe Token: SeIncBasePriorityPrivilege 3252 WMIC.exe Token: SeCreatePagefilePrivilege 3252 WMIC.exe Token: SeBackupPrivilege 3252 WMIC.exe Token: SeRestorePrivilege 3252 WMIC.exe Token: SeShutdownPrivilege 3252 WMIC.exe Token: SeDebugPrivilege 3252 WMIC.exe Token: SeSystemEnvironmentPrivilege 3252 WMIC.exe Token: SeRemoteShutdownPrivilege 3252 WMIC.exe Token: SeUndockPrivilege 3252 WMIC.exe Token: SeManageVolumePrivilege 3252 WMIC.exe Token: 33 3252 WMIC.exe Token: 34 3252 WMIC.exe Token: 35 3252 WMIC.exe Token: 36 3252 WMIC.exe Token: SeIncreaseQuotaPrivilege 3252 WMIC.exe Token: SeSecurityPrivilege 3252 WMIC.exe Token: SeTakeOwnershipPrivilege 3252 WMIC.exe Token: SeLoadDriverPrivilege 3252 WMIC.exe Token: SeSystemProfilePrivilege 3252 WMIC.exe Token: SeSystemtimePrivilege 3252 WMIC.exe Token: SeProfSingleProcessPrivilege 3252 WMIC.exe Token: SeIncBasePriorityPrivilege 3252 WMIC.exe Token: SeCreatePagefilePrivilege 3252 WMIC.exe Token: SeBackupPrivilege 3252 WMIC.exe Token: SeRestorePrivilege 3252 WMIC.exe Token: SeShutdownPrivilege 3252 WMIC.exe Token: SeDebugPrivilege 3252 WMIC.exe Token: SeSystemEnvironmentPrivilege 3252 WMIC.exe Token: SeRemoteShutdownPrivilege 3252 WMIC.exe Token: SeUndockPrivilege 3252 WMIC.exe Token: SeManageVolumePrivilege 3252 WMIC.exe Token: 33 3252 WMIC.exe Token: 34 3252 WMIC.exe Token: 35 3252 WMIC.exe Token: 36 3252 WMIC.exe Token: SeIncreaseQuotaPrivilege 912 WMIC.exe Token: SeSecurityPrivilege 912 WMIC.exe Token: SeTakeOwnershipPrivilege 912 WMIC.exe Token: SeLoadDriverPrivilege 912 WMIC.exe Token: SeSystemProfilePrivilege 912 WMIC.exe Token: SeSystemtimePrivilege 912 WMIC.exe Token: SeProfSingleProcessPrivilege 912 WMIC.exe Token: SeIncBasePriorityPrivilege 912 WMIC.exe Token: SeCreatePagefilePrivilege 912 WMIC.exe Token: SeBackupPrivilege 912 WMIC.exe Token: SeRestorePrivilege 912 WMIC.exe Token: SeShutdownPrivilege 912 WMIC.exe Token: SeDebugPrivilege 912 WMIC.exe Token: SeSystemEnvironmentPrivilege 912 WMIC.exe Token: SeRemoteShutdownPrivilege 912 WMIC.exe Token: SeUndockPrivilege 912 WMIC.exe Token: SeManageVolumePrivilege 912 WMIC.exe Token: 33 912 WMIC.exe Token: 34 912 WMIC.exe Token: 35 912 WMIC.exe Token: 36 912 WMIC.exe Token: SeIncreaseQuotaPrivilege 912 WMIC.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\41b697071796cd939294fab1fb9a40e2.jar1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:1768
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:912 -
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:968 -
C:\Windows\SYSTEM32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1228 -
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\udFoQ\Desktop.ini2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
PID:1500 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\udFoQ\Desktop.ini2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
PID:1020 -
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\udFoQ2⤵
- Views/modifies file attributes
PID:3632 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\udFoQ2⤵
- Views/modifies file attributes
PID:1728 -
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\udFoQ2⤵
- Views/modifies file attributes
PID:1644 -
C:\Windows\SYSTEM32\attrib.exeattrib +h +s +r C:\Users\Admin\udFoQ\uGGbQ.class2⤵
- Views/modifies file attributes
PID:1756 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List3⤵PID:2828