Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
18/01/2022, 11:27
Static task
static1
Behavioral task
behavioral1
Sample
New Price List For DStv&GOtv.pdf.jar
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
New Price List For DStv&GOtv.pdf.jar
Resource
win10v2004-en-20220112
General
-
Target
New Price List For DStv&GOtv.pdf.jar
-
Size
189KB
-
MD5
b1d6eafab8240680ef96194944ce3801
-
SHA1
a9b312e682e43b28d28faf6b66c903ba12dfecf5
-
SHA256
85daaa8ff4820b98c0d1471ed68ab675f2fea97f4d6f6f48a951b4344b9c2b38
-
SHA512
af2daaccce5c601f4dae45ea51113eb85cb86b055dbba22bfaf131200c5ecf4f29ff66c42ae7bb1d9d6fd893cb715f1c77734f211f296ef91f98c5fa0ac37cf2
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
flow pid Process 13 632 WScript.exe 14 632 WScript.exe 21 632 WScript.exe 23 632 WScript.exe 24 632 WScript.exe 25 632 WScript.exe 27 632 WScript.exe 28 632 WScript.exe 29 632 WScript.exe 31 632 WScript.exe 32 632 WScript.exe 34 632 WScript.exe 36 632 WScript.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJBcFWZNgk.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJBcFWZNgk.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fhmzyvaqe.txt java.exe -
Loads dropped DLL 3 IoCs
pid Process 1724 java.exe 1572 java.exe 1572 java.exe -
Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook java.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook java.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook java.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook java.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook java.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook java.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\OJBcFWZNgk.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\fhmzyvaqe = "\"C:\\Users\\Admin\\AppData\\Roaming\\fhmzyvaqe.txt\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fhmzyvaqe = "\"C:\\Users\\Admin\\AppData\\Roaming\\fhmzyvaqe.txt\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1000 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 460 WMIC.exe Token: SeSecurityPrivilege 460 WMIC.exe Token: SeTakeOwnershipPrivilege 460 WMIC.exe Token: SeLoadDriverPrivilege 460 WMIC.exe Token: SeSystemProfilePrivilege 460 WMIC.exe Token: SeSystemtimePrivilege 460 WMIC.exe Token: SeProfSingleProcessPrivilege 460 WMIC.exe Token: SeIncBasePriorityPrivilege 460 WMIC.exe Token: SeCreatePagefilePrivilege 460 WMIC.exe Token: SeBackupPrivilege 460 WMIC.exe Token: SeRestorePrivilege 460 WMIC.exe Token: SeShutdownPrivilege 460 WMIC.exe Token: SeDebugPrivilege 460 WMIC.exe Token: SeSystemEnvironmentPrivilege 460 WMIC.exe Token: SeRemoteShutdownPrivilege 460 WMIC.exe Token: SeUndockPrivilege 460 WMIC.exe Token: SeManageVolumePrivilege 460 WMIC.exe Token: 33 460 WMIC.exe Token: 34 460 WMIC.exe Token: 35 460 WMIC.exe Token: SeIncreaseQuotaPrivilege 460 WMIC.exe Token: SeSecurityPrivilege 460 WMIC.exe Token: SeTakeOwnershipPrivilege 460 WMIC.exe Token: SeLoadDriverPrivilege 460 WMIC.exe Token: SeSystemProfilePrivilege 460 WMIC.exe Token: SeSystemtimePrivilege 460 WMIC.exe Token: SeProfSingleProcessPrivilege 460 WMIC.exe Token: SeIncBasePriorityPrivilege 460 WMIC.exe Token: SeCreatePagefilePrivilege 460 WMIC.exe Token: SeBackupPrivilege 460 WMIC.exe Token: SeRestorePrivilege 460 WMIC.exe Token: SeShutdownPrivilege 460 WMIC.exe Token: SeDebugPrivilege 460 WMIC.exe Token: SeSystemEnvironmentPrivilege 460 WMIC.exe Token: SeRemoteShutdownPrivilege 460 WMIC.exe Token: SeUndockPrivilege 460 WMIC.exe Token: SeManageVolumePrivilege 460 WMIC.exe Token: 33 460 WMIC.exe Token: 34 460 WMIC.exe Token: 35 460 WMIC.exe Token: SeIncreaseQuotaPrivilege 572 WMIC.exe Token: SeSecurityPrivilege 572 WMIC.exe Token: SeTakeOwnershipPrivilege 572 WMIC.exe Token: SeLoadDriverPrivilege 572 WMIC.exe Token: SeSystemProfilePrivilege 572 WMIC.exe Token: SeSystemtimePrivilege 572 WMIC.exe Token: SeProfSingleProcessPrivilege 572 WMIC.exe Token: SeIncBasePriorityPrivilege 572 WMIC.exe Token: SeCreatePagefilePrivilege 572 WMIC.exe Token: SeBackupPrivilege 572 WMIC.exe Token: SeRestorePrivilege 572 WMIC.exe Token: SeShutdownPrivilege 572 WMIC.exe Token: SeDebugPrivilege 572 WMIC.exe Token: SeSystemEnvironmentPrivilege 572 WMIC.exe Token: SeRemoteShutdownPrivilege 572 WMIC.exe Token: SeUndockPrivilege 572 WMIC.exe Token: SeManageVolumePrivilege 572 WMIC.exe Token: 33 572 WMIC.exe Token: 34 572 WMIC.exe Token: 35 572 WMIC.exe Token: SeIncreaseQuotaPrivilege 572 WMIC.exe Token: SeSecurityPrivilege 572 WMIC.exe Token: SeTakeOwnershipPrivilege 572 WMIC.exe Token: SeLoadDriverPrivilege 572 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1132 1388 java.exe 28 PID 1388 wrote to memory of 1132 1388 java.exe 28 PID 1388 wrote to memory of 1132 1388 java.exe 28 PID 1132 wrote to memory of 632 1132 wscript.exe 29 PID 1132 wrote to memory of 632 1132 wscript.exe 29 PID 1132 wrote to memory of 632 1132 wscript.exe 29 PID 1132 wrote to memory of 428 1132 wscript.exe 30 PID 1132 wrote to memory of 428 1132 wscript.exe 30 PID 1132 wrote to memory of 428 1132 wscript.exe 30 PID 428 wrote to memory of 1724 428 javaw.exe 35 PID 428 wrote to memory of 1724 428 javaw.exe 35 PID 428 wrote to memory of 1724 428 javaw.exe 35 PID 1724 wrote to memory of 996 1724 java.exe 36 PID 1724 wrote to memory of 996 1724 java.exe 36 PID 1724 wrote to memory of 996 1724 java.exe 36 PID 1724 wrote to memory of 1572 1724 java.exe 38 PID 1724 wrote to memory of 1572 1724 java.exe 38 PID 1724 wrote to memory of 1572 1724 java.exe 38 PID 996 wrote to memory of 1000 996 cmd.exe 40 PID 996 wrote to memory of 1000 996 cmd.exe 40 PID 996 wrote to memory of 1000 996 cmd.exe 40 PID 1572 wrote to memory of 1932 1572 java.exe 43 PID 1572 wrote to memory of 1932 1572 java.exe 43 PID 1572 wrote to memory of 1932 1572 java.exe 43 PID 1932 wrote to memory of 460 1932 cmd.exe 41 PID 1932 wrote to memory of 460 1932 cmd.exe 41 PID 1932 wrote to memory of 460 1932 cmd.exe 41 PID 1572 wrote to memory of 524 1572 java.exe 46 PID 1572 wrote to memory of 524 1572 java.exe 46 PID 1572 wrote to memory of 524 1572 java.exe 46 PID 524 wrote to memory of 572 524 cmd.exe 44 PID 524 wrote to memory of 572 524 cmd.exe 44 PID 524 wrote to memory of 572 524 cmd.exe 44 PID 1572 wrote to memory of 428 1572 java.exe 49 PID 1572 wrote to memory of 428 1572 java.exe 49 PID 1572 wrote to memory of 428 1572 java.exe 49 PID 428 wrote to memory of 1532 428 cmd.exe 47 PID 428 wrote to memory of 1532 428 cmd.exe 47 PID 428 wrote to memory of 1532 428 cmd.exe 47 PID 1572 wrote to memory of 976 1572 java.exe 52 PID 1572 wrote to memory of 976 1572 java.exe 52 PID 1572 wrote to memory of 976 1572 java.exe 52 PID 976 wrote to memory of 108 976 cmd.exe 50 PID 976 wrote to memory of 108 976 cmd.exe 50 PID 976 wrote to memory of 108 976 cmd.exe 50 PID 1572 wrote to memory of 1752 1572 java.exe 58 PID 1572 wrote to memory of 1752 1572 java.exe 58 PID 1572 wrote to memory of 1752 1572 java.exe 58 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook java.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook java.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\New Price List For DStv&GOtv.pdf.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\wscript.exewscript C:\Users\Admin\_output.js2⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OJBcFWZNgk.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:632
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fhmzyvaqe.txt"3⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\fhmzyvaqe.txt"4⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\fhmzyvaqe.txt"5⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\fhmzyvaqe.txt"6⤵
- Creates scheduled task(s)
PID:1000
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\fhmzyvaqe.txt"5⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1572 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"6⤵
- Suspicious use of WriteProcessMemory
PID:1932
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"6⤵
- Suspicious use of WriteProcessMemory
PID:524
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"6⤵
- Suspicious use of WriteProcessMemory
PID:428
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"6⤵
- Suspicious use of WriteProcessMemory
PID:976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list4⤵PID:1532
-
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list1⤵
- Suspicious use of AdjustPrivilegeToken
PID:460
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list1⤵PID:108