Analysis
-
max time kernel
1806s -
max time network
1808s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-06-2022 15:23
Static task
static1
Behavioral task
behavioral1
Sample
JUSTIFICANTES PAGO.jar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
JUSTIFICANTES PAGO.jar
Resource
win10-20220414-en
General
-
Target
JUSTIFICANTES PAGO.jar
-
Size
637KB
-
MD5
a74e3c57306dc12d60d0deadecaf161c
-
SHA1
97dee2433ae1eba49ac89fd43dc3a85bbee8c81f
-
SHA256
c76b5ae3a1a90382ad79314fc98f1c4b3ce81e640e0f0826930836f3a82a7616
-
SHA512
17c3b182df76d724920e86d2b83b254427e02a9c5844586993a59f6cd15defd5e0bcc29c6064721bf7b47bf2ca85ac42c90f499c655092f8cda426fc5836277c
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
WScript.exeflow pid process 4 1816 WScript.exe 6 1816 WScript.exe 7 1816 WScript.exe 9 1816 WScript.exe 10 1816 WScript.exe 11 1816 WScript.exe 13 1816 WScript.exe 14 1816 WScript.exe 15 1816 WScript.exe 17 1816 WScript.exe 18 1816 WScript.exe 19 1816 WScript.exe 21 1816 WScript.exe 22 1816 WScript.exe 23 1816 WScript.exe 25 1816 WScript.exe 26 1816 WScript.exe 27 1816 WScript.exe 29 1816 WScript.exe 30 1816 WScript.exe 31 1816 WScript.exe 33 1816 WScript.exe 34 1816 WScript.exe 35 1816 WScript.exe 37 1816 WScript.exe 38 1816 WScript.exe 39 1816 WScript.exe 41 1816 WScript.exe 42 1816 WScript.exe 43 1816 WScript.exe 45 1816 WScript.exe 46 1816 WScript.exe 47 1816 WScript.exe 49 1816 WScript.exe 50 1816 WScript.exe 51 1816 WScript.exe 53 1816 WScript.exe 54 1816 WScript.exe 55 1816 WScript.exe 57 1816 WScript.exe 58 1816 WScript.exe 59 1816 WScript.exe 61 1816 WScript.exe 62 1816 WScript.exe 63 1816 WScript.exe 65 1816 WScript.exe 66 1816 WScript.exe 67 1816 WScript.exe 69 1816 WScript.exe 70 1816 WScript.exe 71 1816 WScript.exe 73 1816 WScript.exe 74 1816 WScript.exe 75 1816 WScript.exe 77 1816 WScript.exe 78 1816 WScript.exe 79 1816 WScript.exe 81 1816 WScript.exe 82 1816 WScript.exe 83 1816 WScript.exe 85 1816 WScript.exe 86 1816 WScript.exe 87 1816 WScript.exe 89 1816 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\yBzacvcZKX.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
java.exewscript.exedescription pid process target process PID 1284 wrote to memory of 936 1284 java.exe wscript.exe PID 1284 wrote to memory of 936 1284 java.exe wscript.exe PID 1284 wrote to memory of 936 1284 java.exe wscript.exe PID 936 wrote to memory of 1816 936 wscript.exe WScript.exe PID 936 wrote to memory of 1816 936 wscript.exe WScript.exe PID 936 wrote to memory of 1816 936 wscript.exe WScript.exe PID 936 wrote to memory of 780 936 wscript.exe javaw.exe PID 936 wrote to memory of 780 936 wscript.exe javaw.exe PID 936 wrote to memory of 780 936 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTES PAGO.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\wscript.exewscript C:\Users\Admin\jyahaoabcs.js2⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1816 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rlfluwu.txt"3⤵PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rlfluwu.txtFilesize
479KB
MD50af2ffb0e3a810f556a0eef909a5ecc7
SHA1641fe60bfa8569a0a13dc9279ea1cafb5cb912ad
SHA2569d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b
SHA512883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9
-
C:\Users\Admin\AppData\Roaming\yBzacvcZKX.jsFilesize
24KB
MD59cb94db4ae02bd253f2a41995076f5d2
SHA151ff0dc0516a93a8ac5620ccfa4b0e7750ebaeb1
SHA25616288f415596cee7e80051087859c51cd5f2a44cc0c98b708b78a87f89c0a9ec
SHA512f3277d959dc34dc4d920261de1cdcf82712982d543b7901f5ddfa7f0a793a33670aa1fec23aa7468ade221e275b02cfa948d3d15aa8fe63a3a011d3363ee4161
-
C:\Users\Admin\jyahaoabcs.jsFilesize
953KB
MD5b0858d86fb22aa01d7ad40ef5ab0b069
SHA16c6c7a2f34149a8702d2ae401294291d38c064a0
SHA2560055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0
SHA512980423d2379677a469205c1119cdd323ea36331d53aa46eae98c5fedf67be2cae7023e63e14e7ffb1bb40a378ce3f700f6facfd5edb6a14dba531daddaaba8d6
-
memory/780-71-0x0000000000000000-mapping.dmp
-
memory/780-83-0x0000000002120000-0x0000000005120000-memory.dmpFilesize
48.0MB
-
memory/780-85-0x0000000002120000-0x0000000005120000-memory.dmpFilesize
48.0MB
-
memory/936-65-0x0000000000000000-mapping.dmp
-
memory/1284-54-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmpFilesize
8KB
-
memory/1284-64-0x0000000002210000-0x0000000005210000-memory.dmpFilesize
48.0MB
-
memory/1816-69-0x0000000000000000-mapping.dmp