3c58c0257967024f97cc51918584119061f5760839ead8834613617413cd76bc

General

Target

Order.jar
Size

119KB
MD5

e4ff39c093a238eff303dc92537ea2fb
SHA1

6f538d4150f4c48f0bb25c2cc9396f6d8f4ae1e7
SHA256

3c58c0257967024f97cc51918584119061f5760839ead8834613617413cd76bc
SHA512

1a3e9adb721edd0a1cdba4cf754f8c5d787cec7aac2e3edf3d6dd7d3195e4dd04e87c1d533b7c49f21aff03fd20abb6b13e6f529aed60939e7202c1a7d6b278d

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 4084 wrote to memory of 1624	4084	java.exe	wscript.exe
PID 4084 wrote to memory of 1624	4084	java.exe	wscript.exe
PID 1624 wrote to memory of 2692	1624	wscript.exe	javaw.exe
PID 1624 wrote to memory of 2692	1624	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Order.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\mwmgpjziht.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fjdctmmujc.txt"
3⤵
- Drops file in Program Files directory
PID:2692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\fjdctmmujc.txt
MD5
f56824df149a86fc089666ce180eba00

SHA1
7c5be12f8d23828b07801e7989761f392e05aedb

SHA256
3bb2b6d1331057d1a0df547193c2f2cee51f0bc7b37c56c4506b539e66b40f65

SHA512
cac9b27d77abe6cbe1e308d7a33b542dc298a3028f0680184e6dc18be67520b67803a6ed9428bb98e3ebfccc50bbae486bcc81890d7c758f86fc581739558425

Download Submit
C:\Users\Admin\mwmgpjziht.js
MD5
4b3032aa2019a2b3b78d6dadd7ede734

SHA1
090fe92d02ec65cd66c1cba607f93f6c2c050c28

SHA256
1e84998a3fda8487f27c45b73e06e6bfe1a4c0ea01c9143668e96258d05cf742

SHA512
5b94fc9c3e9dae3fbea9b95cf6982d819da8cd90319fb628dfd98b578230e3079c5fc6a383e52e966c172796f745f014fd5ed0b384d3a37fee6d016c3cd91aa9

Download Submit
memory/1624-115-0x0000000000000000-mapping.dmp

Download
memory/2692-122-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/2692-118-0x0000000000000000-mapping.dmp

Download
memory/2692-121-0x0000000002C00000-0x0000000002E70000-memory.dmp

Filesize
2.4MB

Download
memory/2692-123-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/2692-125-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/2692-126-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/2692-127-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/2692-128-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/2692-124-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/2692-129-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/2692-130-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/4084-116-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4084-114-0x0000000002940000-0x0000000002BB0000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing