Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09/12/2021, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMENTS_SHIPPING_107865489 (2).jar
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DOCUMENTS_SHIPPING_107865489 (2).jar
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
DOCUMENTS_SHIPPING_107865489 (2).jar
-
Size
95KB
-
MD5
d79532f750087749d27a51d2b6193c5f
-
SHA1
5f4c9b790017fdde77432984b125baaf59ca3144
-
SHA256
1571a4bf6d272dced62cf114cbc864994cd7d360097263b277a3ac50ac226d21
-
SHA512
bd5f4c0b9a9455ba7b1848574be228c714323f6e3bf144898e3be602089707b5ea066e67c51c60ba062dd3bb6db2495b68627801ccafd8f7beea1a181411519b
Score
10/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENTS_SHIPPING_107865489 (2).jar java.exe -
Loads dropped DLL 2 IoCs
pid Process 2020 java.exe 1600 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\DOCUMENTS_SHIPPING_107865489 (2) = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\DOCUMENTS_SHIPPING_107865489 (2).jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DOCUMENTS_SHIPPING_107865489 (2) = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\DOCUMENTS_SHIPPING_107865489 (2).jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1524 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe Token: SeSystemEnvironmentPrivilege 1092 WMIC.exe Token: SeRemoteShutdownPrivilege 1092 WMIC.exe Token: SeUndockPrivilege 1092 WMIC.exe Token: SeManageVolumePrivilege 1092 WMIC.exe Token: 33 1092 WMIC.exe Token: 34 1092 WMIC.exe Token: 35 1092 WMIC.exe Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe Token: SeSystemEnvironmentPrivilege 1092 WMIC.exe Token: SeRemoteShutdownPrivilege 1092 WMIC.exe Token: SeUndockPrivilege 1092 WMIC.exe Token: SeManageVolumePrivilege 1092 WMIC.exe Token: 33 1092 WMIC.exe Token: 34 1092 WMIC.exe Token: 35 1092 WMIC.exe Token: SeIncreaseQuotaPrivilege 1244 WMIC.exe Token: SeSecurityPrivilege 1244 WMIC.exe Token: SeTakeOwnershipPrivilege 1244 WMIC.exe Token: SeLoadDriverPrivilege 1244 WMIC.exe Token: SeSystemProfilePrivilege 1244 WMIC.exe Token: SeSystemtimePrivilege 1244 WMIC.exe Token: SeProfSingleProcessPrivilege 1244 WMIC.exe Token: SeIncBasePriorityPrivilege 1244 WMIC.exe Token: SeCreatePagefilePrivilege 1244 WMIC.exe Token: SeBackupPrivilege 1244 WMIC.exe Token: SeRestorePrivilege 1244 WMIC.exe Token: SeShutdownPrivilege 1244 WMIC.exe Token: SeDebugPrivilege 1244 WMIC.exe Token: SeSystemEnvironmentPrivilege 1244 WMIC.exe Token: SeRemoteShutdownPrivilege 1244 WMIC.exe Token: SeUndockPrivilege 1244 WMIC.exe Token: SeManageVolumePrivilege 1244 WMIC.exe Token: 33 1244 WMIC.exe Token: 34 1244 WMIC.exe Token: 35 1244 WMIC.exe Token: SeIncreaseQuotaPrivilege 1244 WMIC.exe Token: SeSecurityPrivilege 1244 WMIC.exe Token: SeTakeOwnershipPrivilege 1244 WMIC.exe Token: SeLoadDriverPrivilege 1244 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2020 1848 java.exe 28 PID 1848 wrote to memory of 2020 1848 java.exe 28 PID 1848 wrote to memory of 2020 1848 java.exe 28 PID 2020 wrote to memory of 1644 2020 java.exe 29 PID 2020 wrote to memory of 1644 2020 java.exe 29 PID 2020 wrote to memory of 1644 2020 java.exe 29 PID 2020 wrote to memory of 1600 2020 java.exe 30 PID 2020 wrote to memory of 1600 2020 java.exe 30 PID 2020 wrote to memory of 1600 2020 java.exe 30 PID 1644 wrote to memory of 1524 1644 cmd.exe 31 PID 1644 wrote to memory of 1524 1644 cmd.exe 31 PID 1644 wrote to memory of 1524 1644 cmd.exe 31 PID 1600 wrote to memory of 1656 1600 java.exe 32 PID 1600 wrote to memory of 1656 1600 java.exe 32 PID 1600 wrote to memory of 1656 1600 java.exe 32 PID 1656 wrote to memory of 1092 1656 cmd.exe 33 PID 1656 wrote to memory of 1092 1656 cmd.exe 33 PID 1656 wrote to memory of 1092 1656 cmd.exe 33 PID 1600 wrote to memory of 1684 1600 java.exe 37 PID 1600 wrote to memory of 1684 1600 java.exe 37 PID 1600 wrote to memory of 1684 1600 java.exe 37 PID 1684 wrote to memory of 1244 1684 cmd.exe 38 PID 1684 wrote to memory of 1244 1684 cmd.exe 38 PID 1684 wrote to memory of 1244 1684 cmd.exe 38 PID 1600 wrote to memory of 1412 1600 java.exe 39 PID 1600 wrote to memory of 1412 1600 java.exe 39 PID 1600 wrote to memory of 1412 1600 java.exe 39 PID 1412 wrote to memory of 1728 1412 cmd.exe 40 PID 1412 wrote to memory of 1728 1412 cmd.exe 40 PID 1412 wrote to memory of 1728 1412 cmd.exe 40 PID 1600 wrote to memory of 1764 1600 java.exe 41 PID 1600 wrote to memory of 1764 1600 java.exe 41 PID 1600 wrote to memory of 1764 1600 java.exe 41 PID 1764 wrote to memory of 304 1764 cmd.exe 42 PID 1764 wrote to memory of 304 1764 cmd.exe 42 PID 1764 wrote to memory of 304 1764 cmd.exe 42
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\DOCUMENTS_SHIPPING_107865489 (2).jar"1⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\DOCUMENTS_SHIPPING_107865489 (2).jar"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\DOCUMENTS_SHIPPING_107865489 (2).jar"3⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\DOCUMENTS_SHIPPING_107865489 (2).jar"4⤵
- Creates scheduled task(s)
PID:1524
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\DOCUMENTS_SHIPPING_107865489 (2).jar"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list5⤵PID:1728
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list5⤵PID:304
-
-
-
-