a3b480ce2b82d4b08f7e904e497e222753a731875d67fe5de99b2b144f7ccf48

General

Target

Quotation.jar
Size

119KB
MD5

536d2bc29415f705f2e9a26ce0ee349f
SHA1

6e28063ee78e517143ad5363ebd1e036514d6917
SHA256

a3b480ce2b82d4b08f7e904e497e222753a731875d67fe5de99b2b144f7ccf48
SHA512

d860f9edbcf669fb11b638651e92699287dc8ac9ea4a68dce042c7d090b02e8ef0f67d2d1661cf1b5d3348f85d57d620b2a60a9948073d865dd0de008eac63fa

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2824 regedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	wscript.exe

pid	process
2824	regedit.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 3204 wrote to memory of 1960	3204	java.exe	wscript.exe
PID 3204 wrote to memory of 1960	3204	java.exe	wscript.exe
PID 1960 wrote to memory of 2824	1960	wscript.exe	regedit.exe
PID 1960 wrote to memory of 2824	1960	wscript.exe	regedit.exe
PID 1960 wrote to memory of 1780	1960	wscript.exe	javaw.exe
PID 1960 wrote to memory of 1780	1960	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Quotation.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\gukwmybxjx.js
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
3⤵
- Runs .reg file with regedit
PID:2824

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wvwhisgtrb.txt"
3⤵
- Drops file in Program Files directory
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg
MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\wvwhisgtrb.txt
MD5
3b098ed6aa7c3b342772a135129afebd

SHA1
f5b5e634b40d0a043c77f48a259dab9b5eea1f5b

SHA256
4a4a333147eb03fa0bfb7d0f03b37585669e4d056d63d31beecbb56eafc80c91

SHA512
56157f4c0168098877927c46334ac6f1236d18147ad331797152d71a3281d5e2d7bf24c5b0609f868cbf94ec978f6f4e91d882f596e7a97605bd42d4f619e98f

Download Submit
C:\Users\Admin\gukwmybxjx.js
MD5
af43d71698ad8ecf1e295863f978d5fe

SHA1
93152a067e82e2714ea26d3124f874940b39e72f

SHA256
d97f1cd96fc3a0da028be92e02a1064b1c823883f3ff9f29b6f712afa260673b

SHA512
2dfaefcfd3385d41912a5eb5c57c2b5209b9a2297816102d602126258aeab68a4bbb41ceb8c6b54c1271bffe2e14c12fa5f8cfbfe142818a24706154b30126b8

Download Submit
memory/1780-139-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/1780-141-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/1780-120-0x0000000000000000-mapping.dmp

Download
memory/1780-205-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/1780-196-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/1780-123-0x0000000003040000-0x00000000032B0000-memory.dmp

Filesize
2.4MB

Download
memory/1780-124-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1780-125-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1780-127-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/1780-126-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/1780-128-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1780-135-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/1780-136-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/1780-137-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/1780-177-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1780-172-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1780-142-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/1780-144-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/1780-145-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/1780-147-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/1780-146-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/1780-149-0x0000000003380000-0x0000000003390000-memory.dmp

Filesize
64KB

Download
memory/1780-151-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/1780-153-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/1780-155-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1780-166-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1780-168-0x00000000033A0000-0x00000000033B0000-memory.dmp

Filesize
64KB

Download
memory/1780-170-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/1960-115-0x0000000000000000-mapping.dmp

Download
memory/2824-118-0x0000000000000000-mapping.dmp

Download
memory/3204-114-0x0000000002E70000-0x00000000030E0000-memory.dmp

Filesize
2.4MB

Download
memory/3204-116-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing