Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21/01/2022, 14:24
Static task
static1
Behavioral task
behavioral1
Sample
Order confirmation.jar
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Order confirmation.jar
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
Order confirmation.jar
-
Size
187KB
-
MD5
9b888e0d179f1079bab199bf682c69d2
-
SHA1
55632e020598c5511d3c361fe2e3c483af39b0ba
-
SHA256
febb815216146ce5b082e909f7ee36a07f2692201b36671fa0f3c73eb7cd407d
-
SHA512
684ef507db352bde9942501ef9f8fdb72be541724d10bda4c7f9b6a4c28eace345cd9078e7b27bf09d06c7babd786d04a275fc96b3f54e4d98f70e8f9a1ffbd8
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
flow pid Process 9 1072 WScript.exe 19 1072 WScript.exe 20 1072 WScript.exe 21 1072 WScript.exe 22 1072 WScript.exe 23 1072 WScript.exe 30 1072 WScript.exe 31 1072 WScript.exe 32 1072 WScript.exe 33 1072 WScript.exe 34 1072 WScript.exe 35 1072 WScript.exe 36 1072 WScript.exe 37 1072 WScript.exe 38 1072 WScript.exe 39 1072 WScript.exe 40 1072 WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YSCicdEDwo.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YSCicdEDwo.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\YSCicdEDwo.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2480 wrote to memory of 3852 2480 java.exe 69 PID 2480 wrote to memory of 3852 2480 java.exe 69 PID 3852 wrote to memory of 1072 3852 wscript.exe 70 PID 3852 wrote to memory of 1072 3852 wscript.exe 70 PID 3852 wrote to memory of 368 3852 wscript.exe 71 PID 3852 wrote to memory of 368 3852 wscript.exe 71
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Order confirmation.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\_output.js2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YSCicdEDwo.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1072
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qzlxoxjgy.txt"3⤵
- Drops file in Program Files directory
PID:368
-
-