Analysis
-
max time kernel
844s -
max time network
1571s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
08/12/2021, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
mrkbajwnyr.txt.jar
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
mrkbajwnyr.txt.jar
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
mrkbajwnyr.txt.jar
-
Size
185KB
-
MD5
4a769959e2ee2785d32ef2161f28cd8b
-
SHA1
e31b455b90081313e3b7405db3efe1582fe39daa
-
SHA256
496536d34981fc4155772fe136930ef13cf16116a4df18e6261dd084fce40b21
-
SHA512
8ef798581834a365f8a7649572c8683e9294cb950917b9c1e9b6ae60bf48b2e4d0e3be312843e398868f31835f276df24f4c5c2b6fb07b654322a8d5351815ca
Score
10/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrkbajwnyr.txt.jar java.exe -
Loads dropped DLL 2 IoCs
pid Process 1472 java.exe 2912 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\mrkbajwnyr.txt = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\mrkbajwnyr.txt.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mrkbajwnyr.txt = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\mrkbajwnyr.txt.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 47 ip-api.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1900 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3736 WMIC.exe Token: SeSecurityPrivilege 3736 WMIC.exe Token: SeTakeOwnershipPrivilege 3736 WMIC.exe Token: SeLoadDriverPrivilege 3736 WMIC.exe Token: SeSystemProfilePrivilege 3736 WMIC.exe Token: SeSystemtimePrivilege 3736 WMIC.exe Token: SeProfSingleProcessPrivilege 3736 WMIC.exe Token: SeIncBasePriorityPrivilege 3736 WMIC.exe Token: SeCreatePagefilePrivilege 3736 WMIC.exe Token: SeBackupPrivilege 3736 WMIC.exe Token: SeRestorePrivilege 3736 WMIC.exe Token: SeShutdownPrivilege 3736 WMIC.exe Token: SeDebugPrivilege 3736 WMIC.exe Token: SeSystemEnvironmentPrivilege 3736 WMIC.exe Token: SeRemoteShutdownPrivilege 3736 WMIC.exe Token: SeUndockPrivilege 3736 WMIC.exe Token: SeManageVolumePrivilege 3736 WMIC.exe Token: 33 3736 WMIC.exe Token: 34 3736 WMIC.exe Token: 35 3736 WMIC.exe Token: 36 3736 WMIC.exe Token: SeIncreaseQuotaPrivilege 3736 WMIC.exe Token: SeSecurityPrivilege 3736 WMIC.exe Token: SeTakeOwnershipPrivilege 3736 WMIC.exe Token: SeLoadDriverPrivilege 3736 WMIC.exe Token: SeSystemProfilePrivilege 3736 WMIC.exe Token: SeSystemtimePrivilege 3736 WMIC.exe Token: SeProfSingleProcessPrivilege 3736 WMIC.exe Token: SeIncBasePriorityPrivilege 3736 WMIC.exe Token: SeCreatePagefilePrivilege 3736 WMIC.exe Token: SeBackupPrivilege 3736 WMIC.exe Token: SeRestorePrivilege 3736 WMIC.exe Token: SeShutdownPrivilege 3736 WMIC.exe Token: SeDebugPrivilege 3736 WMIC.exe Token: SeSystemEnvironmentPrivilege 3736 WMIC.exe Token: SeRemoteShutdownPrivilege 3736 WMIC.exe Token: SeUndockPrivilege 3736 WMIC.exe Token: SeManageVolumePrivilege 3736 WMIC.exe Token: 33 3736 WMIC.exe Token: 34 3736 WMIC.exe Token: 35 3736 WMIC.exe Token: 36 3736 WMIC.exe Token: SeIncreaseQuotaPrivilege 1492 WMIC.exe Token: SeSecurityPrivilege 1492 WMIC.exe Token: SeTakeOwnershipPrivilege 1492 WMIC.exe Token: SeLoadDriverPrivilege 1492 WMIC.exe Token: SeSystemProfilePrivilege 1492 WMIC.exe Token: SeSystemtimePrivilege 1492 WMIC.exe Token: SeProfSingleProcessPrivilege 1492 WMIC.exe Token: SeIncBasePriorityPrivilege 1492 WMIC.exe Token: SeCreatePagefilePrivilege 1492 WMIC.exe Token: SeBackupPrivilege 1492 WMIC.exe Token: SeRestorePrivilege 1492 WMIC.exe Token: SeShutdownPrivilege 1492 WMIC.exe Token: SeDebugPrivilege 1492 WMIC.exe Token: SeSystemEnvironmentPrivilege 1492 WMIC.exe Token: SeRemoteShutdownPrivilege 1492 WMIC.exe Token: SeUndockPrivilege 1492 WMIC.exe Token: SeManageVolumePrivilege 1492 WMIC.exe Token: 33 1492 WMIC.exe Token: 34 1492 WMIC.exe Token: 35 1492 WMIC.exe Token: 36 1492 WMIC.exe Token: SeIncreaseQuotaPrivilege 1492 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3488 wrote to memory of 1472 3488 java.exe 72 PID 3488 wrote to memory of 1472 3488 java.exe 72 PID 1472 wrote to memory of 2324 1472 java.exe 74 PID 1472 wrote to memory of 2324 1472 java.exe 74 PID 1472 wrote to memory of 2912 1472 java.exe 76 PID 1472 wrote to memory of 2912 1472 java.exe 76 PID 2324 wrote to memory of 1900 2324 cmd.exe 78 PID 2324 wrote to memory of 1900 2324 cmd.exe 78 PID 2912 wrote to memory of 3980 2912 java.exe 79 PID 2912 wrote to memory of 3980 2912 java.exe 79 PID 3980 wrote to memory of 3736 3980 cmd.exe 81 PID 3980 wrote to memory of 3736 3980 cmd.exe 81 PID 2912 wrote to memory of 2316 2912 java.exe 83 PID 2912 wrote to memory of 2316 2912 java.exe 83 PID 2316 wrote to memory of 1492 2316 cmd.exe 85 PID 2316 wrote to memory of 1492 2316 cmd.exe 85 PID 2912 wrote to memory of 2040 2912 java.exe 86 PID 2912 wrote to memory of 2040 2912 java.exe 86 PID 2040 wrote to memory of 2668 2040 cmd.exe 88 PID 2040 wrote to memory of 2668 2040 cmd.exe 88 PID 2912 wrote to memory of 1984 2912 java.exe 89 PID 2912 wrote to memory of 1984 2912 java.exe 89 PID 1984 wrote to memory of 3288 1984 cmd.exe 91 PID 1984 wrote to memory of 3288 1984 cmd.exe 91
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\mrkbajwnyr.txt.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\mrkbajwnyr.txt.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"3⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"4⤵
- Creates scheduled task(s)
PID:1900
-
-
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"3⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list5⤵PID:2668
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list5⤵PID:3288
-
-
-
-