Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08/12/2021, 15:47
Static task
static1
Behavioral task
behavioral1
Sample
mrkbajwnyr.txt.jar
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
mrkbajwnyr.txt.jar
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
mrkbajwnyr.txt.jar
-
Size
185KB
-
MD5
4a769959e2ee2785d32ef2161f28cd8b
-
SHA1
e31b455b90081313e3b7405db3efe1582fe39daa
-
SHA256
496536d34981fc4155772fe136930ef13cf16116a4df18e6261dd084fce40b21
-
SHA512
8ef798581834a365f8a7649572c8683e9294cb950917b9c1e9b6ae60bf48b2e4d0e3be312843e398868f31835f276df24f4c5c2b6fb07b654322a8d5351815ca
Score
10/10
Malware Config
Signatures
-
suricata: ET MALWARE STRRAT CnC Checkin
suricata: ET MALWARE STRRAT CnC Checkin
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrkbajwnyr.txt.jar java.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 java.exe 1016 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\mrkbajwnyr.txt = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\mrkbajwnyr.txt.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mrkbajwnyr.txt = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\mrkbajwnyr.txt.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1740 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1220 WMIC.exe Token: SeSecurityPrivilege 1220 WMIC.exe Token: SeTakeOwnershipPrivilege 1220 WMIC.exe Token: SeLoadDriverPrivilege 1220 WMIC.exe Token: SeSystemProfilePrivilege 1220 WMIC.exe Token: SeSystemtimePrivilege 1220 WMIC.exe Token: SeProfSingleProcessPrivilege 1220 WMIC.exe Token: SeIncBasePriorityPrivilege 1220 WMIC.exe Token: SeCreatePagefilePrivilege 1220 WMIC.exe Token: SeBackupPrivilege 1220 WMIC.exe Token: SeRestorePrivilege 1220 WMIC.exe Token: SeShutdownPrivilege 1220 WMIC.exe Token: SeDebugPrivilege 1220 WMIC.exe Token: SeSystemEnvironmentPrivilege 1220 WMIC.exe Token: SeRemoteShutdownPrivilege 1220 WMIC.exe Token: SeUndockPrivilege 1220 WMIC.exe Token: SeManageVolumePrivilege 1220 WMIC.exe Token: 33 1220 WMIC.exe Token: 34 1220 WMIC.exe Token: 35 1220 WMIC.exe Token: SeIncreaseQuotaPrivilege 1220 WMIC.exe Token: SeSecurityPrivilege 1220 WMIC.exe Token: SeTakeOwnershipPrivilege 1220 WMIC.exe Token: SeLoadDriverPrivilege 1220 WMIC.exe Token: SeSystemProfilePrivilege 1220 WMIC.exe Token: SeSystemtimePrivilege 1220 WMIC.exe Token: SeProfSingleProcessPrivilege 1220 WMIC.exe Token: SeIncBasePriorityPrivilege 1220 WMIC.exe Token: SeCreatePagefilePrivilege 1220 WMIC.exe Token: SeBackupPrivilege 1220 WMIC.exe Token: SeRestorePrivilege 1220 WMIC.exe Token: SeShutdownPrivilege 1220 WMIC.exe Token: SeDebugPrivilege 1220 WMIC.exe Token: SeSystemEnvironmentPrivilege 1220 WMIC.exe Token: SeRemoteShutdownPrivilege 1220 WMIC.exe Token: SeUndockPrivilege 1220 WMIC.exe Token: SeManageVolumePrivilege 1220 WMIC.exe Token: 33 1220 WMIC.exe Token: 34 1220 WMIC.exe Token: 35 1220 WMIC.exe Token: SeIncreaseQuotaPrivilege 376 WMIC.exe Token: SeSecurityPrivilege 376 WMIC.exe Token: SeTakeOwnershipPrivilege 376 WMIC.exe Token: SeLoadDriverPrivilege 376 WMIC.exe Token: SeSystemProfilePrivilege 376 WMIC.exe Token: SeSystemtimePrivilege 376 WMIC.exe Token: SeProfSingleProcessPrivilege 376 WMIC.exe Token: SeIncBasePriorityPrivilege 376 WMIC.exe Token: SeCreatePagefilePrivilege 376 WMIC.exe Token: SeBackupPrivilege 376 WMIC.exe Token: SeRestorePrivilege 376 WMIC.exe Token: SeShutdownPrivilege 376 WMIC.exe Token: SeDebugPrivilege 376 WMIC.exe Token: SeSystemEnvironmentPrivilege 376 WMIC.exe Token: SeRemoteShutdownPrivilege 376 WMIC.exe Token: SeUndockPrivilege 376 WMIC.exe Token: SeManageVolumePrivilege 376 WMIC.exe Token: 33 376 WMIC.exe Token: 34 376 WMIC.exe Token: 35 376 WMIC.exe Token: SeIncreaseQuotaPrivilege 376 WMIC.exe Token: SeSecurityPrivilege 376 WMIC.exe Token: SeTakeOwnershipPrivilege 376 WMIC.exe Token: SeLoadDriverPrivilege 376 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1668 wrote to memory of 1732 1668 java.exe 28 PID 1668 wrote to memory of 1732 1668 java.exe 28 PID 1668 wrote to memory of 1732 1668 java.exe 28 PID 1732 wrote to memory of 1968 1732 java.exe 29 PID 1732 wrote to memory of 1968 1732 java.exe 29 PID 1732 wrote to memory of 1968 1732 java.exe 29 PID 1732 wrote to memory of 1016 1732 java.exe 30 PID 1732 wrote to memory of 1016 1732 java.exe 30 PID 1732 wrote to memory of 1016 1732 java.exe 30 PID 1968 wrote to memory of 1740 1968 cmd.exe 31 PID 1968 wrote to memory of 1740 1968 cmd.exe 31 PID 1968 wrote to memory of 1740 1968 cmd.exe 31 PID 1016 wrote to memory of 1212 1016 java.exe 34 PID 1016 wrote to memory of 1212 1016 java.exe 34 PID 1016 wrote to memory of 1212 1016 java.exe 34 PID 1212 wrote to memory of 1220 1212 cmd.exe 35 PID 1212 wrote to memory of 1220 1212 cmd.exe 35 PID 1212 wrote to memory of 1220 1212 cmd.exe 35 PID 1016 wrote to memory of 336 1016 java.exe 37 PID 1016 wrote to memory of 336 1016 java.exe 37 PID 1016 wrote to memory of 336 1016 java.exe 37 PID 336 wrote to memory of 376 336 cmd.exe 38 PID 336 wrote to memory of 376 336 cmd.exe 38 PID 336 wrote to memory of 376 336 cmd.exe 38 PID 1016 wrote to memory of 1104 1016 java.exe 39 PID 1016 wrote to memory of 1104 1016 java.exe 39 PID 1016 wrote to memory of 1104 1016 java.exe 39 PID 1104 wrote to memory of 572 1104 cmd.exe 40 PID 1104 wrote to memory of 572 1104 cmd.exe 40 PID 1104 wrote to memory of 572 1104 cmd.exe 40 PID 1016 wrote to memory of 768 1016 java.exe 41 PID 1016 wrote to memory of 768 1016 java.exe 41 PID 1016 wrote to memory of 768 1016 java.exe 41 PID 768 wrote to memory of 1556 768 cmd.exe 42 PID 768 wrote to memory of 1556 768 cmd.exe 42 PID 768 wrote to memory of 1556 768 cmd.exe 42
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\mrkbajwnyr.txt.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\mrkbajwnyr.txt.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"3⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"4⤵
- Creates scheduled task(s)
PID:1740
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list5⤵PID:572
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list5⤵PID:1556
-
-
-
-