Analysis
-
max time kernel
1799s -
max time network
1805s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08/12/2021, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
mrkbajwnyr.txt.jar
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
mrkbajwnyr.txt.jar
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
mrkbajwnyr.txt.jar
-
Size
185KB
-
MD5
4a769959e2ee2785d32ef2161f28cd8b
-
SHA1
e31b455b90081313e3b7405db3efe1582fe39daa
-
SHA256
496536d34981fc4155772fe136930ef13cf16116a4df18e6261dd084fce40b21
-
SHA512
8ef798581834a365f8a7649572c8683e9294cb950917b9c1e9b6ae60bf48b2e4d0e3be312843e398868f31835f276df24f4c5c2b6fb07b654322a8d5351815ca
Score
10/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrkbajwnyr.txt.jar java.exe -
Loads dropped DLL 2 IoCs
pid Process 592 java.exe 1512 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\mrkbajwnyr.txt = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\mrkbajwnyr.txt.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mrkbajwnyr.txt = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\mrkbajwnyr.txt.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 992 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1512 java.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe Token: SeIncreaseQuotaPrivilege 1780 WMIC.exe Token: SeSecurityPrivilege 1780 WMIC.exe Token: SeTakeOwnershipPrivilege 1780 WMIC.exe Token: SeLoadDriverPrivilege 1780 WMIC.exe Token: SeSystemProfilePrivilege 1780 WMIC.exe Token: SeSystemtimePrivilege 1780 WMIC.exe Token: SeProfSingleProcessPrivilege 1780 WMIC.exe Token: SeIncBasePriorityPrivilege 1780 WMIC.exe Token: SeCreatePagefilePrivilege 1780 WMIC.exe Token: SeBackupPrivilege 1780 WMIC.exe Token: SeRestorePrivilege 1780 WMIC.exe Token: SeShutdownPrivilege 1780 WMIC.exe Token: SeDebugPrivilege 1780 WMIC.exe Token: SeSystemEnvironmentPrivilege 1780 WMIC.exe Token: SeRemoteShutdownPrivilege 1780 WMIC.exe Token: SeUndockPrivilege 1780 WMIC.exe Token: SeManageVolumePrivilege 1780 WMIC.exe Token: 33 1780 WMIC.exe Token: 34 1780 WMIC.exe Token: 35 1780 WMIC.exe Token: SeIncreaseQuotaPrivilege 1780 WMIC.exe Token: SeSecurityPrivilege 1780 WMIC.exe Token: SeTakeOwnershipPrivilege 1780 WMIC.exe Token: SeLoadDriverPrivilege 1780 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 776 wrote to memory of 592 776 java.exe 28 PID 776 wrote to memory of 592 776 java.exe 28 PID 776 wrote to memory of 592 776 java.exe 28 PID 592 wrote to memory of 1468 592 java.exe 29 PID 592 wrote to memory of 1468 592 java.exe 29 PID 592 wrote to memory of 1468 592 java.exe 29 PID 592 wrote to memory of 1512 592 java.exe 30 PID 592 wrote to memory of 1512 592 java.exe 30 PID 592 wrote to memory of 1512 592 java.exe 30 PID 1468 wrote to memory of 992 1468 cmd.exe 31 PID 1468 wrote to memory of 992 1468 cmd.exe 31 PID 1468 wrote to memory of 992 1468 cmd.exe 31 PID 1512 wrote to memory of 1104 1512 java.exe 32 PID 1512 wrote to memory of 1104 1512 java.exe 32 PID 1512 wrote to memory of 1104 1512 java.exe 32 PID 1104 wrote to memory of 1616 1104 cmd.exe 33 PID 1104 wrote to memory of 1616 1104 cmd.exe 33 PID 1104 wrote to memory of 1616 1104 cmd.exe 33 PID 1512 wrote to memory of 912 1512 java.exe 35 PID 1512 wrote to memory of 912 1512 java.exe 35 PID 1512 wrote to memory of 912 1512 java.exe 35 PID 912 wrote to memory of 1780 912 cmd.exe 36 PID 912 wrote to memory of 1780 912 cmd.exe 36 PID 912 wrote to memory of 1780 912 cmd.exe 36 PID 1512 wrote to memory of 684 1512 java.exe 37 PID 1512 wrote to memory of 684 1512 java.exe 37 PID 1512 wrote to memory of 684 1512 java.exe 37 PID 684 wrote to memory of 1216 684 cmd.exe 38 PID 684 wrote to memory of 1216 684 cmd.exe 38 PID 684 wrote to memory of 1216 684 cmd.exe 38 PID 1512 wrote to memory of 268 1512 java.exe 39 PID 1512 wrote to memory of 268 1512 java.exe 39 PID 1512 wrote to memory of 268 1512 java.exe 39 PID 268 wrote to memory of 1708 268 cmd.exe 40 PID 268 wrote to memory of 1708 268 cmd.exe 40 PID 268 wrote to memory of 1708 268 cmd.exe 40 PID 736 wrote to memory of 1096 736 taskeng.exe 44 PID 736 wrote to memory of 1096 736 taskeng.exe 44 PID 736 wrote to memory of 1096 736 taskeng.exe 44
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\mrkbajwnyr.txt.jar1⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\mrkbajwnyr.txt.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"3⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"4⤵
- Creates scheduled task(s)
PID:992
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list5⤵PID:1216
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list5⤵PID:1708
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {935A0B6A-90CF-41E6-851E-B96269E932AB} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"2⤵PID:1096
-