Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
18-01-2022 11:27
Static task
static1
Behavioral task
behavioral1
Sample
New Price List For DStv&GOtv.pdf.jar
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
New Price List For DStv&GOtv.pdf.jar
Resource
win10v2004-en-20220112
General
-
Target
New Price List For DStv&GOtv.pdf.jar
-
Size
189KB
-
MD5
b1d6eafab8240680ef96194944ce3801
-
SHA1
a9b312e682e43b28d28faf6b66c903ba12dfecf5
-
SHA256
85daaa8ff4820b98c0d1471ed68ab675f2fea97f4d6f6f48a951b4344b9c2b38
-
SHA512
af2daaccce5c601f4dae45ea51113eb85cb86b055dbba22bfaf131200c5ecf4f29ff66c42ae7bb1d9d6fd893cb715f1c77734f211f296ef91f98c5fa0ac37cf2
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
WScript.exeflow pid process 14 764 WScript.exe 15 764 WScript.exe 24 764 WScript.exe 27 764 WScript.exe 28 764 WScript.exe 31 764 WScript.exe 32 764 WScript.exe 33 764 WScript.exe 34 764 WScript.exe 37 764 WScript.exe 38 764 WScript.exe 39 764 WScript.exe 40 764 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJBcFWZNgk.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJBcFWZNgk.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\OJBcFWZNgk.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exedescription pid process Token: SeSystemtimePrivilege 1672 svchost.exe Token: SeSystemtimePrivilege 1672 svchost.exe Token: SeIncBasePriorityPrivilege 1672 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
java.exewscript.exedescription pid process target process PID 2520 wrote to memory of 1424 2520 java.exe wscript.exe PID 2520 wrote to memory of 1424 2520 java.exe wscript.exe PID 1424 wrote to memory of 764 1424 wscript.exe WScript.exe PID 1424 wrote to memory of 764 1424 wscript.exe WScript.exe PID 1424 wrote to memory of 1432 1424 wscript.exe javaw.exe PID 1424 wrote to memory of 1432 1424 wscript.exe javaw.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\New Price List For DStv&GOtv.pdf.jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\_output.js2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OJBcFWZNgk.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mvfvhnkswy.txt"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
9bb08a6bc36bab5b2038e24d670e1977
SHA1c4be6325724f286f7ac00b9eb31b65d6644695cc
SHA256fb05185b9ecb495c85740e03ace07e68662fd290c3b9d251858e2b4f7335d31d
SHA5124ce8204cf54d5bb0c9106d03a296dfb832319c3d8a6226429557be45508fe1856dea2be523f9b5595c1d8130a65c9c0a73a566a52fbc0c2d98bb68494f65941e
-
C:\Users\Admin\AppData\Roaming\OJBcFWZNgk.jsMD5
fc0cb1ff890aa7f09fd3bd3827af0b87
SHA15526d64b92cd11fb1d1eb0f0576a921886375a66
SHA2569e2ef6055a292ce2d36436c0e63cb73ea350fe9eadb1fe94c277574f71554100
SHA5122dbe53b6aee7f70b37ae9561c0cb9f91be6e676d23fbba17f8c79a29f2a4f421463115bf9bef379da985592cfd39e6ec548564d331b3914bc3cc4d6e68a47adf
-
C:\Users\Admin\AppData\Roaming\mvfvhnkswy.txtMD5
b3acd757ecc865d9d1cc5f0d28e7c1cd
SHA121fc24e2f164d12901e9e03473c3b9937d769f29
SHA256ba6ee4d1e97961b7fe05f41b9ea98a1c4fc10ff77eb43fd9d8ca47a24ec7a692
SHA512c79a895adbcf1bb699af6aa2353b5bf6fe0ac46a1d7db556a60e7b2efd7effc63c9963b97ae70d5279e90a490bf32af046e3109b83d5c9ef946e94ee57ce179e
-
C:\Users\Admin\_output.jsMD5
76a2ee18308c8a93a01c9f081ef8ed45
SHA1afe25ab310a108bed28201113bf9421c5e8a08a7
SHA256f1ba647a42b3672fd5ec98e21a38eacdb7e96f6a6e5ad30cb0dfcb0d8173d5fa
SHA512ddff9f779d911c025ba804237421844dacaadd30243b0b591e928e8e00b574b95f711bee7a631a8be04bc34b8b751c253cf07ef80abed55c90bbab0d8f63fe92
-
memory/1432-138-0x00000000012E0000-0x00000000012E1000-memory.dmpFilesize
4KB
-
memory/1432-142-0x0000000002E10000-0x0000000011F10000-memory.dmpFilesize
241.0MB
-
memory/2520-131-0x0000000002D40000-0x0000000011E40000-memory.dmpFilesize
241.0MB
-
memory/2520-132-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB