Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13/12/2021, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar
Resource
win10-en-20211208
General
-
Target
SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar
-
Size
95KB
-
MD5
b1467334c88785074a65f4a908a98852
-
SHA1
f03287324b6a6d87458802faf8626a8b37f7ea76
-
SHA256
1ad5d9e88b0356a59d02aa52ddbb663719b46085e3075e7f171c609083a09db0
-
SHA512
9edcb83f6dd786cc5680d82feead098b77da16096d63fe59c21ca3f280e67037c15ef380624f29f6ce46497a1c8d1a3931e28c2d430d2ae7f92856ed3a53229e
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar java.exe -
Loads dropped DLL 2 IoCs
pid Process 1968 java.exe 1460 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1700 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 984 WMIC.exe Token: SeSecurityPrivilege 984 WMIC.exe Token: SeTakeOwnershipPrivilege 984 WMIC.exe Token: SeLoadDriverPrivilege 984 WMIC.exe Token: SeSystemProfilePrivilege 984 WMIC.exe Token: SeSystemtimePrivilege 984 WMIC.exe Token: SeProfSingleProcessPrivilege 984 WMIC.exe Token: SeIncBasePriorityPrivilege 984 WMIC.exe Token: SeCreatePagefilePrivilege 984 WMIC.exe Token: SeBackupPrivilege 984 WMIC.exe Token: SeRestorePrivilege 984 WMIC.exe Token: SeShutdownPrivilege 984 WMIC.exe Token: SeDebugPrivilege 984 WMIC.exe Token: SeSystemEnvironmentPrivilege 984 WMIC.exe Token: SeRemoteShutdownPrivilege 984 WMIC.exe Token: SeUndockPrivilege 984 WMIC.exe Token: SeManageVolumePrivilege 984 WMIC.exe Token: 33 984 WMIC.exe Token: 34 984 WMIC.exe Token: 35 984 WMIC.exe Token: SeIncreaseQuotaPrivilege 984 WMIC.exe Token: SeSecurityPrivilege 984 WMIC.exe Token: SeTakeOwnershipPrivilege 984 WMIC.exe Token: SeLoadDriverPrivilege 984 WMIC.exe Token: SeSystemProfilePrivilege 984 WMIC.exe Token: SeSystemtimePrivilege 984 WMIC.exe Token: SeProfSingleProcessPrivilege 984 WMIC.exe Token: SeIncBasePriorityPrivilege 984 WMIC.exe Token: SeCreatePagefilePrivilege 984 WMIC.exe Token: SeBackupPrivilege 984 WMIC.exe Token: SeRestorePrivilege 984 WMIC.exe Token: SeShutdownPrivilege 984 WMIC.exe Token: SeDebugPrivilege 984 WMIC.exe Token: SeSystemEnvironmentPrivilege 984 WMIC.exe Token: SeRemoteShutdownPrivilege 984 WMIC.exe Token: SeUndockPrivilege 984 WMIC.exe Token: SeManageVolumePrivilege 984 WMIC.exe Token: 33 984 WMIC.exe Token: 34 984 WMIC.exe Token: 35 984 WMIC.exe Token: SeIncreaseQuotaPrivilege 584 WMIC.exe Token: SeSecurityPrivilege 584 WMIC.exe Token: SeTakeOwnershipPrivilege 584 WMIC.exe Token: SeLoadDriverPrivilege 584 WMIC.exe Token: SeSystemProfilePrivilege 584 WMIC.exe Token: SeSystemtimePrivilege 584 WMIC.exe Token: SeProfSingleProcessPrivilege 584 WMIC.exe Token: SeIncBasePriorityPrivilege 584 WMIC.exe Token: SeCreatePagefilePrivilege 584 WMIC.exe Token: SeBackupPrivilege 584 WMIC.exe Token: SeRestorePrivilege 584 WMIC.exe Token: SeShutdownPrivilege 584 WMIC.exe Token: SeDebugPrivilege 584 WMIC.exe Token: SeSystemEnvironmentPrivilege 584 WMIC.exe Token: SeRemoteShutdownPrivilege 584 WMIC.exe Token: SeUndockPrivilege 584 WMIC.exe Token: SeManageVolumePrivilege 584 WMIC.exe Token: 33 584 WMIC.exe Token: 34 584 WMIC.exe Token: 35 584 WMIC.exe Token: SeIncreaseQuotaPrivilege 584 WMIC.exe Token: SeSecurityPrivilege 584 WMIC.exe Token: SeTakeOwnershipPrivilege 584 WMIC.exe Token: SeLoadDriverPrivilege 584 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1968 1692 java.exe 28 PID 1692 wrote to memory of 1968 1692 java.exe 28 PID 1692 wrote to memory of 1968 1692 java.exe 28 PID 1968 wrote to memory of 1196 1968 java.exe 29 PID 1968 wrote to memory of 1196 1968 java.exe 29 PID 1968 wrote to memory of 1196 1968 java.exe 29 PID 1968 wrote to memory of 1460 1968 java.exe 30 PID 1968 wrote to memory of 1460 1968 java.exe 30 PID 1968 wrote to memory of 1460 1968 java.exe 30 PID 1196 wrote to memory of 1700 1196 cmd.exe 31 PID 1196 wrote to memory of 1700 1196 cmd.exe 31 PID 1196 wrote to memory of 1700 1196 cmd.exe 31 PID 1460 wrote to memory of 1576 1460 java.exe 34 PID 1460 wrote to memory of 1576 1460 java.exe 34 PID 1460 wrote to memory of 1576 1460 java.exe 34 PID 1576 wrote to memory of 984 1576 cmd.exe 35 PID 1576 wrote to memory of 984 1576 cmd.exe 35 PID 1576 wrote to memory of 984 1576 cmd.exe 35 PID 1460 wrote to memory of 1484 1460 java.exe 37 PID 1460 wrote to memory of 1484 1460 java.exe 37 PID 1460 wrote to memory of 1484 1460 java.exe 37 PID 1484 wrote to memory of 584 1484 cmd.exe 38 PID 1484 wrote to memory of 584 1484 cmd.exe 38 PID 1484 wrote to memory of 584 1484 cmd.exe 38 PID 1460 wrote to memory of 660 1460 java.exe 39 PID 1460 wrote to memory of 660 1460 java.exe 39 PID 1460 wrote to memory of 660 1460 java.exe 39 PID 660 wrote to memory of 1136 660 cmd.exe 40 PID 660 wrote to memory of 1136 660 cmd.exe 40 PID 660 wrote to memory of 1136 660 cmd.exe 40 PID 1460 wrote to memory of 1552 1460 java.exe 41 PID 1460 wrote to memory of 1552 1460 java.exe 41 PID 1460 wrote to memory of 1552 1460 java.exe 41 PID 1552 wrote to memory of 892 1552 cmd.exe 42 PID 1552 wrote to memory of 892 1552 cmd.exe 42 PID 1552 wrote to memory of 892 1552 cmd.exe 42
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar"3⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar"4⤵
- Creates scheduled task(s)
PID:1700
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_INV-PLIST_BL PDF.jar"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list5⤵PID:1136
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list5⤵PID:892
-
-
-
-