Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
18/12/2021, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar
-
Size
103KB
-
MD5
25d7be8c2f534dca289f50a193a5418d
-
SHA1
020aa3a275641eb88e07df1ed222f14944f80785
-
SHA256
ad13f2f5590aa12b204c3713520f605595ab04f468577424effd742251a35712
-
SHA512
9ccd9bf4756aa464fd9eb516448ad9f650c38ebed61f0a0eb3979b66c4f8e57f84bbc0b62c437fd56a7fc5e7c798f42a6da10f4edabf2b52e51bed970f35845e
Score
10/10
Malware Config
Signatures
-
suricata: ET MALWARE STRRAT Initial HTTP Activity
suricata: ET MALWARE STRRAT Initial HTTP Activity
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar java.exe -
Loads dropped DLL 2 IoCs
pid Process 1880 java.exe 1648 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar\"" java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 848 schtasks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1880 1752 java.exe 28 PID 1752 wrote to memory of 1880 1752 java.exe 28 PID 1752 wrote to memory of 1880 1752 java.exe 28 PID 1880 wrote to memory of 1716 1880 java.exe 29 PID 1880 wrote to memory of 1716 1880 java.exe 29 PID 1880 wrote to memory of 1716 1880 java.exe 29 PID 1880 wrote to memory of 1648 1880 java.exe 30 PID 1880 wrote to memory of 1648 1880 java.exe 30 PID 1880 wrote to memory of 1648 1880 java.exe 30 PID 1716 wrote to memory of 848 1716 cmd.exe 31 PID 1716 wrote to memory of 848 1716 cmd.exe 31 PID 1716 wrote to memory of 848 1716 cmd.exe 31
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"3⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"4⤵
- Creates scheduled task(s)
PID:848
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"3⤵
- Loads dropped DLL
PID:1648
-
-