fcc120cbbbf66a71a9c0e82d20ecfc6c5721b8ccb806755126c321545fd98d38

General

Target

74143635_by_Libranalysis.jar
Size

116KB
MD5

74143635e4ccd866da6da37710e828c0
SHA1

ea4892ef439b805ce0c8dc477cbb324b66a74d57
SHA256

fcc120cbbbf66a71a9c0e82d20ecfc6c5721b8ccb806755126c321545fd98d38
SHA512

994fd142fda9cc83f15368c6a8793b94099b8ba186f6bd1a5365dbfe6f5308ded20cd2d32eb8bdec3dbdb00d600d67c90512381fb99f2a69b1db4fa3043875d0

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 780 wrote to memory of 2848	780	java.exe	wscript.exe
PID 780 wrote to memory of 2848	780	java.exe	wscript.exe
PID 2848 wrote to memory of 2888	2848	wscript.exe	javaw.exe
PID 2848 wrote to memory of 2888	2848	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\74143635_by_Libranalysis.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\kpywlflrwi.js
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\iygaixctun.txt"
3⤵
- Drops file in Program Files directory
PID:2888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
0a0d74abe5bb2f16215ab380202c509b

SHA1
52138e3fdee8bb1708d5c627a7ef103b452897e0

SHA256
90e8fb427cd53c776e92d511a518a4fcbe56d06a8fe5a8711bd05e329579e237

SHA512
49d0b0c7fbd435850fda1528cd88f816f16f53e8f85cb98e8aa7cce9b569c7272a49c931ab81639d87c540d4281a3bae598b632ed55f0c2a97ec7b4559d1f3ab

Download Submit
C:\Users\Admin\AppData\Roaming\iygaixctun.txt
MD5
0aec03b268633786fa562a31a28c4dd5

SHA1
2ab19c64e5d12eac367aae2c2330c6d2c222b69f

SHA256
87da378f8e00529e1db5e7be0f577e7bb5f379cf7c1fc3585c719a8cb5aadfc0

SHA512
c84d39405ca909a0627c62dfec3f21350dbf272a4059372203433a5945d4e63d0b6dc206b20b9ec37caefd11e127055ac1acf076e1b90cba7e769c45b2fc9f63

Download Submit
C:\Users\Admin\kpywlflrwi.js
MD5
dba4a2c273da67cd0079d88ff5ed2c4c

SHA1
cd0f69e3fa4c57801ffa65064677c17455827e99

SHA256
eba8b7356da43b24b7e62f362ada126596043a38bc5d8d3a9138a9b484d36e3e

SHA512
39d5e4e883206fa4b5c03875d4d9ab7fbfc0d481e1dab4a32a5acfe25df15de193d4aac6b9f9e20ec4d8e492f65550c1e60acee78eaea99d99e9f77d78ba0376

Download Submit
memory/780-114-0x00000000025D0000-0x0000000002840000-memory.dmp

Filesize
2.4MB

Download
memory/780-116-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2848-115-0x0000000000000000-mapping.dmp

Download
memory/2888-118-0x0000000000000000-mapping.dmp

Download
memory/2888-120-0x00000000029E0000-0x0000000002C50000-memory.dmp

Filesize
2.4MB

Download
memory/2888-122-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2888-123-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/2888-124-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing