Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19/01/2022, 03:59
Static task
static1
Behavioral task
behavioral1
Sample
Remittance_Advice.jar
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Remittance_Advice.jar
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
Remittance_Advice.jar
-
Size
177KB
-
MD5
bc78ae9bc621453d40e716c9ba1e5477
-
SHA1
1da930a525c2fcfc3aa3b19feedb982c76844711
-
SHA256
4e0a3a091304f6c072eeb2605636e3dda2b187021218b0b9bbaba909568baaae
-
SHA512
62e3139999e3be0b8afd95ec41d281d10436952ced1fb6357a5e3d73325144f7b87203f888a4711ed21733860fe3a29e43b5f84ac7097437673c524cda80f4b7
Score
10/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remittance_Advice.jar java.exe -
Loads dropped DLL 2 IoCs
pid Process 1384 java.exe 1628 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remittance_Advice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Remittance_Advice.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remittance_Advice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Remittance_Advice.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1828 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 672 WMIC.exe Token: SeSecurityPrivilege 672 WMIC.exe Token: SeTakeOwnershipPrivilege 672 WMIC.exe Token: SeLoadDriverPrivilege 672 WMIC.exe Token: SeSystemProfilePrivilege 672 WMIC.exe Token: SeSystemtimePrivilege 672 WMIC.exe Token: SeProfSingleProcessPrivilege 672 WMIC.exe Token: SeIncBasePriorityPrivilege 672 WMIC.exe Token: SeCreatePagefilePrivilege 672 WMIC.exe Token: SeBackupPrivilege 672 WMIC.exe Token: SeRestorePrivilege 672 WMIC.exe Token: SeShutdownPrivilege 672 WMIC.exe Token: SeDebugPrivilege 672 WMIC.exe Token: SeSystemEnvironmentPrivilege 672 WMIC.exe Token: SeRemoteShutdownPrivilege 672 WMIC.exe Token: SeUndockPrivilege 672 WMIC.exe Token: SeManageVolumePrivilege 672 WMIC.exe Token: 33 672 WMIC.exe Token: 34 672 WMIC.exe Token: 35 672 WMIC.exe Token: SeIncreaseQuotaPrivilege 672 WMIC.exe Token: SeSecurityPrivilege 672 WMIC.exe Token: SeTakeOwnershipPrivilege 672 WMIC.exe Token: SeLoadDriverPrivilege 672 WMIC.exe Token: SeSystemProfilePrivilege 672 WMIC.exe Token: SeSystemtimePrivilege 672 WMIC.exe Token: SeProfSingleProcessPrivilege 672 WMIC.exe Token: SeIncBasePriorityPrivilege 672 WMIC.exe Token: SeCreatePagefilePrivilege 672 WMIC.exe Token: SeBackupPrivilege 672 WMIC.exe Token: SeRestorePrivilege 672 WMIC.exe Token: SeShutdownPrivilege 672 WMIC.exe Token: SeDebugPrivilege 672 WMIC.exe Token: SeSystemEnvironmentPrivilege 672 WMIC.exe Token: SeRemoteShutdownPrivilege 672 WMIC.exe Token: SeUndockPrivilege 672 WMIC.exe Token: SeManageVolumePrivilege 672 WMIC.exe Token: 33 672 WMIC.exe Token: 34 672 WMIC.exe Token: 35 672 WMIC.exe Token: SeIncreaseQuotaPrivilege 1980 WMIC.exe Token: SeSecurityPrivilege 1980 WMIC.exe Token: SeTakeOwnershipPrivilege 1980 WMIC.exe Token: SeLoadDriverPrivilege 1980 WMIC.exe Token: SeSystemProfilePrivilege 1980 WMIC.exe Token: SeSystemtimePrivilege 1980 WMIC.exe Token: SeProfSingleProcessPrivilege 1980 WMIC.exe Token: SeIncBasePriorityPrivilege 1980 WMIC.exe Token: SeCreatePagefilePrivilege 1980 WMIC.exe Token: SeBackupPrivilege 1980 WMIC.exe Token: SeRestorePrivilege 1980 WMIC.exe Token: SeShutdownPrivilege 1980 WMIC.exe Token: SeDebugPrivilege 1980 WMIC.exe Token: SeSystemEnvironmentPrivilege 1980 WMIC.exe Token: SeRemoteShutdownPrivilege 1980 WMIC.exe Token: SeUndockPrivilege 1980 WMIC.exe Token: SeManageVolumePrivilege 1980 WMIC.exe Token: 33 1980 WMIC.exe Token: 34 1980 WMIC.exe Token: 35 1980 WMIC.exe Token: SeIncreaseQuotaPrivilege 1980 WMIC.exe Token: SeSecurityPrivilege 1980 WMIC.exe Token: SeTakeOwnershipPrivilege 1980 WMIC.exe Token: SeLoadDriverPrivilege 1980 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1384 1704 java.exe 28 PID 1704 wrote to memory of 1384 1704 java.exe 28 PID 1704 wrote to memory of 1384 1704 java.exe 28 PID 1384 wrote to memory of 1300 1384 java.exe 29 PID 1384 wrote to memory of 1300 1384 java.exe 29 PID 1384 wrote to memory of 1300 1384 java.exe 29 PID 1384 wrote to memory of 1628 1384 java.exe 30 PID 1384 wrote to memory of 1628 1384 java.exe 30 PID 1384 wrote to memory of 1628 1384 java.exe 30 PID 1300 wrote to memory of 1828 1300 cmd.exe 31 PID 1300 wrote to memory of 1828 1300 cmd.exe 31 PID 1300 wrote to memory of 1828 1300 cmd.exe 31 PID 1628 wrote to memory of 1620 1628 java.exe 32 PID 1628 wrote to memory of 1620 1628 java.exe 32 PID 1628 wrote to memory of 1620 1628 java.exe 32 PID 1620 wrote to memory of 672 1620 cmd.exe 33 PID 1620 wrote to memory of 672 1620 cmd.exe 33 PID 1620 wrote to memory of 672 1620 cmd.exe 33 PID 1628 wrote to memory of 432 1628 java.exe 35 PID 1628 wrote to memory of 432 1628 java.exe 35 PID 1628 wrote to memory of 432 1628 java.exe 35 PID 432 wrote to memory of 1980 432 cmd.exe 36 PID 432 wrote to memory of 1980 432 cmd.exe 36 PID 432 wrote to memory of 1980 432 cmd.exe 36 PID 1628 wrote to memory of 524 1628 java.exe 37 PID 1628 wrote to memory of 524 1628 java.exe 37 PID 1628 wrote to memory of 524 1628 java.exe 37 PID 524 wrote to memory of 756 524 cmd.exe 38 PID 524 wrote to memory of 756 524 cmd.exe 38 PID 524 wrote to memory of 756 524 cmd.exe 38 PID 1628 wrote to memory of 564 1628 java.exe 39 PID 1628 wrote to memory of 564 1628 java.exe 39 PID 1628 wrote to memory of 564 1628 java.exe 39 PID 564 wrote to memory of 112 564 cmd.exe 40 PID 564 wrote to memory of 112 564 cmd.exe 40 PID 564 wrote to memory of 112 564 cmd.exe 40
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Remittance_Advice.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\Remittance_Advice.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Remittance_Advice.jar"3⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Remittance_Advice.jar"4⤵
- Creates scheduled task(s)
PID:1828
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Remittance_Advice.jar"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list5⤵PID:756
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"4⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list5⤵PID:112
-
-
-
-