Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2023 14:20
Static task
static1
Behavioral task
behavioral1
Sample
Payment0627jar.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
Payment0627jar.jar
Resource
win10v2004-20230621-en
General
-
Target
Payment0627jar.jar
-
Size
70KB
-
MD5
0a257f1b297660ebf8f981550c5bfcfe
-
SHA1
7b65e7feb8dde2b10c2ba4978df6951cd2c40225
-
SHA256
10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
-
SHA512
789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130
-
SSDEEP
768:sfZEarPi5ZQ7IT1yhV9JO8BUIm5UljMSfUZ0vTHFjpnfGu6n5rbEaH33kH/:P0Iq77hVc5ojMPZYlj9GPn5d33e/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment0627jar.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment0627jar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment0627jar.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment0627jar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment0627jar.jar\"" java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
java.execmd.exedescription pid Process procid_target PID 1332 wrote to memory of 4600 1332 java.exe 84 PID 1332 wrote to memory of 4600 1332 java.exe 84 PID 1332 wrote to memory of 632 1332 java.exe 85 PID 1332 wrote to memory of 632 1332 java.exe 85 PID 4600 wrote to memory of 4716 4600 cmd.exe 88 PID 4600 wrote to memory of 4716 4600 cmd.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Payment0627jar.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"3⤵
- Creates scheduled task(s)
PID:4716
-
-
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"2⤵PID:632
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD50a257f1b297660ebf8f981550c5bfcfe
SHA17b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA25610eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130
-
Filesize
50B
MD5e2fb17381d7c0d5848659f227e867890
SHA1a4685f93552823205025cac3fabb888e3c414a4d
SHA25603dbd3fb49bc1b11132891a254e0beaf32c672f70e077faf767e0eefea782595
SHA512efd0d3b9bc285e68772a07fcd128699cdca56de444c074071e052aa1dec5872241f671e78435c0ae39f5dcf0397d1c69e2c0f9cc45740bbc0e6bcad82a474647
-
Filesize
70KB
MD50a257f1b297660ebf8f981550c5bfcfe
SHA17b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA25610eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130