46a4cab8778211dc9bc824b607741cd03c8fdb799a8e90d106efc22f57b06281

General

Target

PO#5200668.jar
Size

175KB
MD5

3ad760b40ee49e61becff81d532ac85e
SHA1

1a876cf8130ece99630865cd70810f3dd5166679
SHA256

46a4cab8778211dc9bc824b607741cd03c8fdb799a8e90d106efc22f57b06281
SHA512

d7fdee20687ce29d41b1620c8afa2e94c4f8f40c049542148942bbf2ac05646f045bd0cce1a64999e1ef4ff3d6ff99bab4819db76b35df8c65f648089ca9b5ff

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 3948 wrote to memory of 2340	3948	java.exe	wscript.exe
PID 3948 wrote to memory of 2340	3948	java.exe	wscript.exe
PID 2340 wrote to memory of 3944	2340	wscript.exe	javaw.exe
PID 2340 wrote to memory of 3944	2340	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PO#5200668.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\vpjwxgdblj.js
2⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lmrhzukher.txt"
3⤵
- Drops file in Program Files directory
PID:3944

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
2c71e90bca1c329837a79fe3aad0ceaa

SHA1
ef6e1c20b845552f0bc935ae4a5aa2c4624d6d4f

SHA256
166f79d0a36cef802e7def27ef9678f4f543f2b2a542bed8fbf99c0cb2d834c1

SHA512
f9f16c7ac434ff5956e3445853aff7e41544fd2fa64e0132b1a17fd34b12b264c202a69d8e1eaab89750291eeb6e480d831dccedb06aa46063eb487204c10c57

Download Submit
C:\Users\Admin\AppData\Roaming\lmrhzukher.txt
MD5
c33235baef599c49bd6fa9020f528ec5

SHA1
ad9743c9322d4aef8690c47b7c311e5290e287a6

SHA256
f3a96713037135119cc21ee6a5be2b0dc91647e238e8a31a1f2d8ed96da1abb7

SHA512
13467e597e03b7255caae6427787264caf93cd1067e40eb81081592aa33305a0160d4cb7fd550bab002ee10da9a4aa63175eccf039b0c32390f9aec43fffc777

Download Submit
C:\Users\Admin\vpjwxgdblj.js
MD5
5e8270b67440e1b89173cffd00d83eeb

SHA1
f6a4813914e80bb14df5c44554f1ee7a8bed78db

SHA256
daa4d87d858855984ffbe54cf74518dd3a850bad761974ca9a46693d0d672770

SHA512
b17e576cd3b0b43fa8f7facac3b842e366df7d0686825dbd85cd7203503e50ac9660a800fc0a68472832d294bb5272e70c394572adecd265e4037e11141610d1

Download Submit
memory/2340-115-0x0000000000000000-mapping.dmp

Download
memory/3944-118-0x0000000000000000-mapping.dmp

Download
memory/3944-121-0x0000000002EF0000-0x0000000003160000-memory.dmp

Filesize
2.4MB

Download
memory/3944-122-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3944-123-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3944-125-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/3944-124-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/3944-127-0x0000000003190000-0x00000000031A0000-memory.dmp

Filesize
64KB

Download
memory/3944-126-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/3944-128-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/3948-114-0x0000000002970000-0x0000000002BE0000-memory.dmp

Filesize
2.4MB

Download
memory/3948-116-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing