Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
15-10-2021 12:30
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT SLIP 2.jar
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PAYMENT SLIP 2.jar
Resource
win10-en-20210920
General
-
Target
PAYMENT SLIP 2.jar
-
Size
184KB
-
MD5
6f8a0a71fa4e9b4f871bd262dda7c0c1
-
SHA1
8ae0166ac5d5a98cd379fd124829a5877d16e770
-
SHA256
6c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1
-
SHA512
1b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SLIP 2.jar java.exe -
Loads dropped DLL 2 IoCs
Processes:
java.exejava.exepid process 1868 java.exe 1748 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SLIP 2 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SLIP 2.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SLIP 2 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SLIP 2.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Drops file in Program Files directory 1 IoCs
Processes:
java.exedescription ioc process File created C:\Program Files\Java\jre7\PAYMENT SLIP 2.jar java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2028 WMIC.exe Token: SeSecurityPrivilege 2028 WMIC.exe Token: SeTakeOwnershipPrivilege 2028 WMIC.exe Token: SeLoadDriverPrivilege 2028 WMIC.exe Token: SeSystemProfilePrivilege 2028 WMIC.exe Token: SeSystemtimePrivilege 2028 WMIC.exe Token: SeProfSingleProcessPrivilege 2028 WMIC.exe Token: SeIncBasePriorityPrivilege 2028 WMIC.exe Token: SeCreatePagefilePrivilege 2028 WMIC.exe Token: SeBackupPrivilege 2028 WMIC.exe Token: SeRestorePrivilege 2028 WMIC.exe Token: SeShutdownPrivilege 2028 WMIC.exe Token: SeDebugPrivilege 2028 WMIC.exe Token: SeSystemEnvironmentPrivilege 2028 WMIC.exe Token: SeRemoteShutdownPrivilege 2028 WMIC.exe Token: SeUndockPrivilege 2028 WMIC.exe Token: SeManageVolumePrivilege 2028 WMIC.exe Token: 33 2028 WMIC.exe Token: 34 2028 WMIC.exe Token: 35 2028 WMIC.exe Token: SeIncreaseQuotaPrivilege 2028 WMIC.exe Token: SeSecurityPrivilege 2028 WMIC.exe Token: SeTakeOwnershipPrivilege 2028 WMIC.exe Token: SeLoadDriverPrivilege 2028 WMIC.exe Token: SeSystemProfilePrivilege 2028 WMIC.exe Token: SeSystemtimePrivilege 2028 WMIC.exe Token: SeProfSingleProcessPrivilege 2028 WMIC.exe Token: SeIncBasePriorityPrivilege 2028 WMIC.exe Token: SeCreatePagefilePrivilege 2028 WMIC.exe Token: SeBackupPrivilege 2028 WMIC.exe Token: SeRestorePrivilege 2028 WMIC.exe Token: SeShutdownPrivilege 2028 WMIC.exe Token: SeDebugPrivilege 2028 WMIC.exe Token: SeSystemEnvironmentPrivilege 2028 WMIC.exe Token: SeRemoteShutdownPrivilege 2028 WMIC.exe Token: SeUndockPrivilege 2028 WMIC.exe Token: SeManageVolumePrivilege 2028 WMIC.exe Token: 33 2028 WMIC.exe Token: 34 2028 WMIC.exe Token: 35 2028 WMIC.exe Token: SeIncreaseQuotaPrivilege 1624 WMIC.exe Token: SeSecurityPrivilege 1624 WMIC.exe Token: SeTakeOwnershipPrivilege 1624 WMIC.exe Token: SeLoadDriverPrivilege 1624 WMIC.exe Token: SeSystemProfilePrivilege 1624 WMIC.exe Token: SeSystemtimePrivilege 1624 WMIC.exe Token: SeProfSingleProcessPrivilege 1624 WMIC.exe Token: SeIncBasePriorityPrivilege 1624 WMIC.exe Token: SeCreatePagefilePrivilege 1624 WMIC.exe Token: SeBackupPrivilege 1624 WMIC.exe Token: SeRestorePrivilege 1624 WMIC.exe Token: SeShutdownPrivilege 1624 WMIC.exe Token: SeDebugPrivilege 1624 WMIC.exe Token: SeSystemEnvironmentPrivilege 1624 WMIC.exe Token: SeRemoteShutdownPrivilege 1624 WMIC.exe Token: SeUndockPrivilege 1624 WMIC.exe Token: SeManageVolumePrivilege 1624 WMIC.exe Token: 33 1624 WMIC.exe Token: 34 1624 WMIC.exe Token: 35 1624 WMIC.exe Token: SeIncreaseQuotaPrivilege 1624 WMIC.exe Token: SeSecurityPrivilege 1624 WMIC.exe Token: SeTakeOwnershipPrivilege 1624 WMIC.exe Token: SeLoadDriverPrivilege 1624 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
java.exejava.exejava.execmd.exejava.execmd.execmd.execmd.exedescription pid process target process PID 1504 wrote to memory of 1824 1504 java.exe java.exe PID 1504 wrote to memory of 1824 1504 java.exe java.exe PID 1504 wrote to memory of 1824 1504 java.exe java.exe PID 1824 wrote to memory of 1868 1824 java.exe java.exe PID 1824 wrote to memory of 1868 1824 java.exe java.exe PID 1824 wrote to memory of 1868 1824 java.exe java.exe PID 1868 wrote to memory of 1676 1868 java.exe cmd.exe PID 1868 wrote to memory of 1676 1868 java.exe cmd.exe PID 1868 wrote to memory of 1676 1868 java.exe cmd.exe PID 1868 wrote to memory of 1748 1868 java.exe java.exe PID 1868 wrote to memory of 1748 1868 java.exe java.exe PID 1868 wrote to memory of 1748 1868 java.exe java.exe PID 1676 wrote to memory of 1068 1676 cmd.exe schtasks.exe PID 1676 wrote to memory of 1068 1676 cmd.exe schtasks.exe PID 1676 wrote to memory of 1068 1676 cmd.exe schtasks.exe PID 1748 wrote to memory of 1472 1748 java.exe cmd.exe PID 1748 wrote to memory of 1472 1748 java.exe cmd.exe PID 1748 wrote to memory of 1472 1748 java.exe cmd.exe PID 1748 wrote to memory of 512 1748 java.exe cmd.exe PID 1748 wrote to memory of 512 1748 java.exe cmd.exe PID 1748 wrote to memory of 512 1748 java.exe cmd.exe PID 512 wrote to memory of 1624 512 cmd.exe WMIC.exe PID 512 wrote to memory of 1624 512 cmd.exe WMIC.exe PID 512 wrote to memory of 1624 512 cmd.exe WMIC.exe PID 1748 wrote to memory of 1528 1748 java.exe cmd.exe PID 1748 wrote to memory of 1528 1748 java.exe cmd.exe PID 1748 wrote to memory of 1528 1748 java.exe cmd.exe PID 1528 wrote to memory of 820 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 820 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 820 1528 cmd.exe WMIC.exe PID 1748 wrote to memory of 1388 1748 java.exe cmd.exe PID 1748 wrote to memory of 1388 1748 java.exe cmd.exe PID 1748 wrote to memory of 1388 1748 java.exe cmd.exe PID 1388 wrote to memory of 556 1388 cmd.exe WMIC.exe PID 1388 wrote to memory of 556 1388 cmd.exe WMIC.exe PID 1388 wrote to memory of 556 1388 cmd.exe WMIC.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP 2.jar"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\PAYMENT SLIP 2.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\PAYMENT SLIP 2.jar"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"5⤵PID:1472
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list6⤵PID:820
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list6⤵PID:556
-
-
-
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"4⤵
- Suspicious use of WriteProcessMemory
PID:1676
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"1⤵
- Creates scheduled task(s)
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6f8a0a71fa4e9b4f871bd262dda7c0c1
SHA18ae0166ac5d5a98cd379fd124829a5877d16e770
SHA2566c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1
SHA5121b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3456797065-1076791440-4146276586-1000\83aa4cc77f591dfc2374580bbd95f6ba_9904da6a-19c3-4a6e-a0a9-89cb601578fd
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
MD5
6f8a0a71fa4e9b4f871bd262dda7c0c1
SHA18ae0166ac5d5a98cd379fd124829a5877d16e770
SHA2566c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1
SHA5121b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc
-
MD5
acfb5b5fd9ee10bf69497792fd469f85
SHA10e0845217c4907822403912ad6828d8e0b256208
SHA256b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa
-
MD5
2f4a99c2758e72ee2b59a73586a2322f
SHA1af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA25624d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494
-
MD5
b33387e15ab150a7bf560abdc73c3bec
SHA166b8075784131f578ef893fd7674273f709b9a4c
SHA2562eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA51225cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279
-
MD5
e1aa38a1e78a76a6de73efae136cdb3a
SHA1c463da71871f780b2e2e5dba115d43953b537daf
SHA2562ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d
-
MD5
6f8a0a71fa4e9b4f871bd262dda7c0c1
SHA18ae0166ac5d5a98cd379fd124829a5877d16e770
SHA2566c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1
SHA5121b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc
-
MD5
acfb5b5fd9ee10bf69497792fd469f85
SHA10e0845217c4907822403912ad6828d8e0b256208
SHA256b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa
-
MD5
2f4a99c2758e72ee2b59a73586a2322f
SHA1af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA25624d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494
-
MD5
b33387e15ab150a7bf560abdc73c3bec
SHA166b8075784131f578ef893fd7674273f709b9a4c
SHA2562eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA51225cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279
-
MD5
e1aa38a1e78a76a6de73efae136cdb3a
SHA1c463da71871f780b2e2e5dba115d43953b537daf
SHA2562ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372