Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2023 14:32
Static task
static1
Behavioral task
behavioral1
Sample
PO06028jar.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
PO06028jar.jar
Resource
win10v2004-20230621-en
General
-
Target
PO06028jar.jar
-
Size
70KB
-
MD5
1421b13fcff1ed8b4e8ed6d0ec1ef4ec
-
SHA1
7eb847e16c12dc9159e9f8a0b219926ddf9ec401
-
SHA256
98519a10598b6816b5df829028aab2ccd19ddae46c75f25b25c7bafbe7eb8ce3
-
SHA512
c91c39cb5eea625ba59b60dc0dca227d84da68b36ad4c79e4dfa39f24fb70349b09b24132abbbfccb1a97439a883ed8d7121fcf119f7f7be106c675a37615e41
-
SSDEEP
1536:Mf9ewjOD9EgIKgngWmvpkPuH08DdgUFFVk1YSeY9UKihA4X9:CewlKdYPW0AvmYPYTihAo
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO06028jar.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO06028jar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PO06028jar.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO06028jar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PO06028jar.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3380 WMIC.exe Token: SeSecurityPrivilege 3380 WMIC.exe Token: SeTakeOwnershipPrivilege 3380 WMIC.exe Token: SeLoadDriverPrivilege 3380 WMIC.exe Token: SeSystemProfilePrivilege 3380 WMIC.exe Token: SeSystemtimePrivilege 3380 WMIC.exe Token: SeProfSingleProcessPrivilege 3380 WMIC.exe Token: SeIncBasePriorityPrivilege 3380 WMIC.exe Token: SeCreatePagefilePrivilege 3380 WMIC.exe Token: SeBackupPrivilege 3380 WMIC.exe Token: SeRestorePrivilege 3380 WMIC.exe Token: SeShutdownPrivilege 3380 WMIC.exe Token: SeDebugPrivilege 3380 WMIC.exe Token: SeSystemEnvironmentPrivilege 3380 WMIC.exe Token: SeRemoteShutdownPrivilege 3380 WMIC.exe Token: SeUndockPrivilege 3380 WMIC.exe Token: SeManageVolumePrivilege 3380 WMIC.exe Token: 33 3380 WMIC.exe Token: 34 3380 WMIC.exe Token: 35 3380 WMIC.exe Token: 36 3380 WMIC.exe Token: SeIncreaseQuotaPrivilege 3380 WMIC.exe Token: SeSecurityPrivilege 3380 WMIC.exe Token: SeTakeOwnershipPrivilege 3380 WMIC.exe Token: SeLoadDriverPrivilege 3380 WMIC.exe Token: SeSystemProfilePrivilege 3380 WMIC.exe Token: SeSystemtimePrivilege 3380 WMIC.exe Token: SeProfSingleProcessPrivilege 3380 WMIC.exe Token: SeIncBasePriorityPrivilege 3380 WMIC.exe Token: SeCreatePagefilePrivilege 3380 WMIC.exe Token: SeBackupPrivilege 3380 WMIC.exe Token: SeRestorePrivilege 3380 WMIC.exe Token: SeShutdownPrivilege 3380 WMIC.exe Token: SeDebugPrivilege 3380 WMIC.exe Token: SeSystemEnvironmentPrivilege 3380 WMIC.exe Token: SeRemoteShutdownPrivilege 3380 WMIC.exe Token: SeUndockPrivilege 3380 WMIC.exe Token: SeManageVolumePrivilege 3380 WMIC.exe Token: 33 3380 WMIC.exe Token: 34 3380 WMIC.exe Token: 35 3380 WMIC.exe Token: 36 3380 WMIC.exe Token: SeIncreaseQuotaPrivilege 1608 WMIC.exe Token: SeSecurityPrivilege 1608 WMIC.exe Token: SeTakeOwnershipPrivilege 1608 WMIC.exe Token: SeLoadDriverPrivilege 1608 WMIC.exe Token: SeSystemProfilePrivilege 1608 WMIC.exe Token: SeSystemtimePrivilege 1608 WMIC.exe Token: SeProfSingleProcessPrivilege 1608 WMIC.exe Token: SeIncBasePriorityPrivilege 1608 WMIC.exe Token: SeCreatePagefilePrivilege 1608 WMIC.exe Token: SeBackupPrivilege 1608 WMIC.exe Token: SeRestorePrivilege 1608 WMIC.exe Token: SeShutdownPrivilege 1608 WMIC.exe Token: SeDebugPrivilege 1608 WMIC.exe Token: SeSystemEnvironmentPrivilege 1608 WMIC.exe Token: SeRemoteShutdownPrivilege 1608 WMIC.exe Token: SeUndockPrivilege 1608 WMIC.exe Token: SeManageVolumePrivilege 1608 WMIC.exe Token: 33 1608 WMIC.exe Token: 34 1608 WMIC.exe Token: 35 1608 WMIC.exe Token: 36 1608 WMIC.exe Token: SeIncreaseQuotaPrivilege 1608 WMIC.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
java.execmd.exejava.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 416 wrote to memory of 3492 416 java.exe 86 PID 416 wrote to memory of 3492 416 java.exe 86 PID 416 wrote to memory of 3852 416 java.exe 87 PID 416 wrote to memory of 3852 416 java.exe 87 PID 3492 wrote to memory of 324 3492 cmd.exe 90 PID 3492 wrote to memory of 324 3492 cmd.exe 90 PID 3852 wrote to memory of 4140 3852 java.exe 91 PID 3852 wrote to memory of 4140 3852 java.exe 91 PID 4140 wrote to memory of 3380 4140 cmd.exe 93 PID 4140 wrote to memory of 3380 4140 cmd.exe 93 PID 3852 wrote to memory of 1848 3852 java.exe 94 PID 3852 wrote to memory of 1848 3852 java.exe 94 PID 1848 wrote to memory of 1608 1848 cmd.exe 96 PID 1848 wrote to memory of 1608 1848 cmd.exe 96 PID 3852 wrote to memory of 4120 3852 java.exe 97 PID 3852 wrote to memory of 4120 3852 java.exe 97 PID 4120 wrote to memory of 4388 4120 cmd.exe 99 PID 4120 wrote to memory of 4388 4120 cmd.exe 99 PID 3852 wrote to memory of 2020 3852 java.exe 100 PID 3852 wrote to memory of 2020 3852 java.exe 100 PID 2020 wrote to memory of 2316 2020 cmd.exe 102 PID 2020 wrote to memory of 2316 2020 cmd.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\PO06028jar.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PO06028jar.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PO06028jar.jar"3⤵
- Creates scheduled task(s)
PID:324
-
-
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PO06028jar.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list4⤵PID:4388
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list4⤵PID:2316
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD51421b13fcff1ed8b4e8ed6d0ec1ef4ec
SHA17eb847e16c12dc9159e9f8a0b219926ddf9ec401
SHA25698519a10598b6816b5df829028aab2ccd19ddae46c75f25b25c7bafbe7eb8ce3
SHA512c91c39cb5eea625ba59b60dc0dca227d84da68b36ad4c79e4dfa39f24fb70349b09b24132abbbfccb1a97439a883ed8d7121fcf119f7f7be106c675a37615e41
-
Filesize
50B
MD54393959fec24417d7b85c9423fe8ba0b
SHA1c8721a1548769313a58f3a1295d7bb4985c497b6
SHA256d7d45026096bda9e2d8d4452c12904606c17be3f06632edd0ed6b891782e3a8d
SHA512c7d6414e3dc36039e0baf30e21b8e0da856eff4123f903d0831ae350989bb81629d2b8ecaa3ae169ce94427a26440ecea43f212f8ac1d866a3e61d82d5fe17e5
-
Filesize
70KB
MD51421b13fcff1ed8b4e8ed6d0ec1ef4ec
SHA17eb847e16c12dc9159e9f8a0b219926ddf9ec401
SHA25698519a10598b6816b5df829028aab2ccd19ddae46c75f25b25c7bafbe7eb8ce3
SHA512c91c39cb5eea625ba59b60dc0dca227d84da68b36ad4c79e4dfa39f24fb70349b09b24132abbbfccb1a97439a883ed8d7121fcf119f7f7be106c675a37615e41