Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 09:17
Behavioral task
behavioral1
Sample
a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar
-
Size
64KB
-
MD5
b41fe131ce29c70de7b55c400cc1fbcb
-
SHA1
282bd6da4b9047609a04afaab6d7495354baa30f
-
SHA256
a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e
-
SHA512
b90ecf59f78fe23ef72422f8da508448248ced7b86afcc43d1428ae2b120f90d10be10986e7d5ac44488ea12143fea9a48523784533e0c38790a1da22bda8e65
-
SSDEEP
1536:cjgwRZ3jmn6fyKsTHJ7gTtozbVrHyCs3KB:cjVRpVHskyvVrysB
Score
10/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2568 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: SeIncreaseQuotaPrivilege 436 WMIC.exe Token: SeSecurityPrivilege 436 WMIC.exe Token: SeTakeOwnershipPrivilege 436 WMIC.exe Token: SeLoadDriverPrivilege 436 WMIC.exe Token: SeSystemProfilePrivilege 436 WMIC.exe Token: SeSystemtimePrivilege 436 WMIC.exe Token: SeProfSingleProcessPrivilege 436 WMIC.exe Token: SeIncBasePriorityPrivilege 436 WMIC.exe Token: SeCreatePagefilePrivilege 436 WMIC.exe Token: SeBackupPrivilege 436 WMIC.exe Token: SeRestorePrivilege 436 WMIC.exe Token: SeShutdownPrivilege 436 WMIC.exe Token: SeDebugPrivilege 436 WMIC.exe Token: SeSystemEnvironmentPrivilege 436 WMIC.exe Token: SeRemoteShutdownPrivilege 436 WMIC.exe Token: SeUndockPrivilege 436 WMIC.exe Token: SeManageVolumePrivilege 436 WMIC.exe Token: 33 436 WMIC.exe Token: 34 436 WMIC.exe Token: 35 436 WMIC.exe Token: SeIncreaseQuotaPrivilege 436 WMIC.exe Token: SeSecurityPrivilege 436 WMIC.exe Token: SeTakeOwnershipPrivilege 436 WMIC.exe Token: SeLoadDriverPrivilege 436 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2696 1516 java.exe 29 PID 1516 wrote to memory of 2696 1516 java.exe 29 PID 1516 wrote to memory of 2696 1516 java.exe 29 PID 1516 wrote to memory of 2800 1516 java.exe 30 PID 1516 wrote to memory of 2800 1516 java.exe 30 PID 1516 wrote to memory of 2800 1516 java.exe 30 PID 2696 wrote to memory of 2568 2696 cmd.exe 31 PID 2696 wrote to memory of 2568 2696 cmd.exe 31 PID 2696 wrote to memory of 2568 2696 cmd.exe 31 PID 2800 wrote to memory of 2956 2800 java.exe 32 PID 2800 wrote to memory of 2956 2800 java.exe 32 PID 2800 wrote to memory of 2956 2800 java.exe 32 PID 2956 wrote to memory of 2896 2956 cmd.exe 33 PID 2956 wrote to memory of 2896 2956 cmd.exe 33 PID 2956 wrote to memory of 2896 2956 cmd.exe 33 PID 2800 wrote to memory of 268 2800 java.exe 35 PID 2800 wrote to memory of 268 2800 java.exe 35 PID 2800 wrote to memory of 268 2800 java.exe 35 PID 268 wrote to memory of 436 268 cmd.exe 36 PID 268 wrote to memory of 436 268 cmd.exe 36 PID 268 wrote to memory of 436 268 cmd.exe 36 PID 2800 wrote to memory of 1500 2800 java.exe 37 PID 2800 wrote to memory of 1500 2800 java.exe 37 PID 2800 wrote to memory of 1500 2800 java.exe 37 PID 1500 wrote to memory of 636 1500 cmd.exe 38 PID 1500 wrote to memory of 636 1500 cmd.exe 38 PID 1500 wrote to memory of 636 1500 cmd.exe 38 PID 2800 wrote to memory of 2520 2800 java.exe 39 PID 2800 wrote to memory of 2520 2800 java.exe 39 PID 2800 wrote to memory of 2520 2800 java.exe 39 PID 2520 wrote to memory of 876 2520 cmd.exe 41 PID 2520 wrote to memory of 876 2520 cmd.exe 41 PID 2520 wrote to memory of 876 2520 cmd.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar"3⤵
- Creates scheduled task(s)
PID:2568
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list4⤵PID:636
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list4⤵PID:876
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar
Filesize64KB
MD5b41fe131ce29c70de7b55c400cc1fbcb
SHA1282bd6da4b9047609a04afaab6d7495354baa30f
SHA256a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e
SHA512b90ecf59f78fe23ef72422f8da508448248ced7b86afcc43d1428ae2b120f90d10be10986e7d5ac44488ea12143fea9a48523784533e0c38790a1da22bda8e65