Analysis
-
max time kernel
152s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13/12/2021, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
CUSTOMS DOCUMENTS PDF.jar
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
CUSTOMS DOCUMENTS PDF.jar
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
CUSTOMS DOCUMENTS PDF.jar
-
Size
95KB
-
MD5
91f2de012a840b47d9d11d1507ca14be
-
SHA1
79b813a33705605527483ead1aea2537c198e571
-
SHA256
abacf97d6fd2b2c59717692c05fb25a5a9295aea2908b76324531e5e9fdc4311
-
SHA512
46560661273593e550ce587b0c1d0effeb5cc21e04c920a6e9aff16ebcb4e93bc9785376015cb6496c0e452d478e25b62ad5f8912f62adc0d0f4f318e6b30506
Score
10/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CUSTOMS DOCUMENTS PDF.jar java.exe -
Loads dropped DLL 2 IoCs
pid Process 1476 java.exe 316 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\CUSTOMS DOCUMENTS PDF = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\CUSTOMS DOCUMENTS PDF.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CUSTOMS DOCUMENTS PDF = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\CUSTOMS DOCUMENTS PDF.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 276 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeSecurityPrivilege 1588 WMIC.exe Token: SeTakeOwnershipPrivilege 1588 WMIC.exe Token: SeLoadDriverPrivilege 1588 WMIC.exe Token: SeSystemProfilePrivilege 1588 WMIC.exe Token: SeSystemtimePrivilege 1588 WMIC.exe Token: SeProfSingleProcessPrivilege 1588 WMIC.exe Token: SeIncBasePriorityPrivilege 1588 WMIC.exe Token: SeCreatePagefilePrivilege 1588 WMIC.exe Token: SeBackupPrivilege 1588 WMIC.exe Token: SeRestorePrivilege 1588 WMIC.exe Token: SeShutdownPrivilege 1588 WMIC.exe Token: SeDebugPrivilege 1588 WMIC.exe Token: SeSystemEnvironmentPrivilege 1588 WMIC.exe Token: SeRemoteShutdownPrivilege 1588 WMIC.exe Token: SeUndockPrivilege 1588 WMIC.exe Token: SeManageVolumePrivilege 1588 WMIC.exe Token: 33 1588 WMIC.exe Token: 34 1588 WMIC.exe Token: 35 1588 WMIC.exe Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeSecurityPrivilege 1588 WMIC.exe Token: SeTakeOwnershipPrivilege 1588 WMIC.exe Token: SeLoadDriverPrivilege 1588 WMIC.exe Token: SeSystemProfilePrivilege 1588 WMIC.exe Token: SeSystemtimePrivilege 1588 WMIC.exe Token: SeProfSingleProcessPrivilege 1588 WMIC.exe Token: SeIncBasePriorityPrivilege 1588 WMIC.exe Token: SeCreatePagefilePrivilege 1588 WMIC.exe Token: SeBackupPrivilege 1588 WMIC.exe Token: SeRestorePrivilege 1588 WMIC.exe Token: SeShutdownPrivilege 1588 WMIC.exe Token: SeDebugPrivilege 1588 WMIC.exe Token: SeSystemEnvironmentPrivilege 1588 WMIC.exe Token: SeRemoteShutdownPrivilege 1588 WMIC.exe Token: SeUndockPrivilege 1588 WMIC.exe Token: SeManageVolumePrivilege 1588 WMIC.exe Token: 33 1588 WMIC.exe Token: 34 1588 WMIC.exe Token: 35 1588 WMIC.exe Token: SeIncreaseQuotaPrivilege 1416 WMIC.exe Token: SeSecurityPrivilege 1416 WMIC.exe Token: SeTakeOwnershipPrivilege 1416 WMIC.exe Token: SeLoadDriverPrivilege 1416 WMIC.exe Token: SeSystemProfilePrivilege 1416 WMIC.exe Token: SeSystemtimePrivilege 1416 WMIC.exe Token: SeProfSingleProcessPrivilege 1416 WMIC.exe Token: SeIncBasePriorityPrivilege 1416 WMIC.exe Token: SeCreatePagefilePrivilege 1416 WMIC.exe Token: SeBackupPrivilege 1416 WMIC.exe Token: SeRestorePrivilege 1416 WMIC.exe Token: SeShutdownPrivilege 1416 WMIC.exe Token: SeDebugPrivilege 1416 WMIC.exe Token: SeSystemEnvironmentPrivilege 1416 WMIC.exe Token: SeRemoteShutdownPrivilege 1416 WMIC.exe Token: SeUndockPrivilege 1416 WMIC.exe Token: SeManageVolumePrivilege 1416 WMIC.exe Token: 33 1416 WMIC.exe Token: 34 1416 WMIC.exe Token: 35 1416 WMIC.exe Token: SeIncreaseQuotaPrivilege 1416 WMIC.exe Token: SeSecurityPrivilege 1416 WMIC.exe Token: SeTakeOwnershipPrivilege 1416 WMIC.exe Token: SeLoadDriverPrivilege 1416 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 968 wrote to memory of 1476 968 java.exe 28 PID 968 wrote to memory of 1476 968 java.exe 28 PID 968 wrote to memory of 1476 968 java.exe 28 PID 1476 wrote to memory of 1296 1476 java.exe 29 PID 1476 wrote to memory of 1296 1476 java.exe 29 PID 1476 wrote to memory of 1296 1476 java.exe 29 PID 1476 wrote to memory of 316 1476 java.exe 31 PID 1476 wrote to memory of 316 1476 java.exe 31 PID 1476 wrote to memory of 316 1476 java.exe 31 PID 1296 wrote to memory of 276 1296 cmd.exe 30 PID 1296 wrote to memory of 276 1296 cmd.exe 30 PID 1296 wrote to memory of 276 1296 cmd.exe 30 PID 316 wrote to memory of 1520 316 java.exe 34 PID 316 wrote to memory of 1520 316 java.exe 34 PID 316 wrote to memory of 1520 316 java.exe 34 PID 1520 wrote to memory of 1588 1520 cmd.exe 35 PID 1520 wrote to memory of 1588 1520 cmd.exe 35 PID 1520 wrote to memory of 1588 1520 cmd.exe 35 PID 316 wrote to memory of 1976 316 java.exe 37 PID 316 wrote to memory of 1976 316 java.exe 37 PID 316 wrote to memory of 1976 316 java.exe 37 PID 1976 wrote to memory of 1416 1976 cmd.exe 38 PID 1976 wrote to memory of 1416 1976 cmd.exe 38 PID 1976 wrote to memory of 1416 1976 cmd.exe 38 PID 316 wrote to memory of 1608 316 java.exe 39 PID 316 wrote to memory of 1608 316 java.exe 39 PID 316 wrote to memory of 1608 316 java.exe 39 PID 1608 wrote to memory of 1676 1608 cmd.exe 40 PID 1608 wrote to memory of 1676 1608 cmd.exe 40 PID 1608 wrote to memory of 1676 1608 cmd.exe 40 PID 316 wrote to memory of 1984 316 java.exe 41 PID 316 wrote to memory of 1984 316 java.exe 41 PID 316 wrote to memory of 1984 316 java.exe 41 PID 1984 wrote to memory of 1948 1984 cmd.exe 42 PID 1984 wrote to memory of 1948 1984 cmd.exe 42 PID 1984 wrote to memory of 1948 1984 cmd.exe 42
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\CUSTOMS DOCUMENTS PDF.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\CUSTOMS DOCUMENTS PDF.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\CUSTOMS DOCUMENTS PDF.jar"3⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\CUSTOMS DOCUMENTS PDF.jar"4⤵
- Creates scheduled task(s)
PID:276
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\CUSTOMS DOCUMENTS PDF.jar"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list5⤵PID:1676
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list5⤵PID:1948
-
-
-
-