Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 09:17
Behavioral task
behavioral1
Sample
a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar
Resource
win10v2004-20240226-en
General
-
Target
a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar
-
Size
64KB
-
MD5
b41fe131ce29c70de7b55c400cc1fbcb
-
SHA1
282bd6da4b9047609a04afaab6d7495354baa30f
-
SHA256
a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e
-
SHA512
b90ecf59f78fe23ef72422f8da508448248ced7b86afcc43d1428ae2b120f90d10be10986e7d5ac44488ea12143fea9a48523784533e0c38790a1da22bda8e65
-
SSDEEP
1536:cjgwRZ3jmn6fyKsTHJ7gTtozbVrHyCs3KB:cjVRpVHskyvVrysB
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: SeIncreaseQuotaPrivilege 436 WMIC.exe Token: SeSecurityPrivilege 436 WMIC.exe Token: SeTakeOwnershipPrivilege 436 WMIC.exe Token: SeLoadDriverPrivilege 436 WMIC.exe Token: SeSystemProfilePrivilege 436 WMIC.exe Token: SeSystemtimePrivilege 436 WMIC.exe Token: SeProfSingleProcessPrivilege 436 WMIC.exe Token: SeIncBasePriorityPrivilege 436 WMIC.exe Token: SeCreatePagefilePrivilege 436 WMIC.exe Token: SeBackupPrivilege 436 WMIC.exe Token: SeRestorePrivilege 436 WMIC.exe Token: SeShutdownPrivilege 436 WMIC.exe Token: SeDebugPrivilege 436 WMIC.exe Token: SeSystemEnvironmentPrivilege 436 WMIC.exe Token: SeRemoteShutdownPrivilege 436 WMIC.exe Token: SeUndockPrivilege 436 WMIC.exe Token: SeManageVolumePrivilege 436 WMIC.exe Token: 33 436 WMIC.exe Token: 34 436 WMIC.exe Token: 35 436 WMIC.exe Token: SeIncreaseQuotaPrivilege 436 WMIC.exe Token: SeSecurityPrivilege 436 WMIC.exe Token: SeTakeOwnershipPrivilege 436 WMIC.exe Token: SeLoadDriverPrivilege 436 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
java.execmd.exejava.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1516 wrote to memory of 2696 1516 java.exe cmd.exe PID 1516 wrote to memory of 2696 1516 java.exe cmd.exe PID 1516 wrote to memory of 2696 1516 java.exe cmd.exe PID 1516 wrote to memory of 2800 1516 java.exe java.exe PID 1516 wrote to memory of 2800 1516 java.exe java.exe PID 1516 wrote to memory of 2800 1516 java.exe java.exe PID 2696 wrote to memory of 2568 2696 cmd.exe schtasks.exe PID 2696 wrote to memory of 2568 2696 cmd.exe schtasks.exe PID 2696 wrote to memory of 2568 2696 cmd.exe schtasks.exe PID 2800 wrote to memory of 2956 2800 java.exe cmd.exe PID 2800 wrote to memory of 2956 2800 java.exe cmd.exe PID 2800 wrote to memory of 2956 2800 java.exe cmd.exe PID 2956 wrote to memory of 2896 2956 cmd.exe WMIC.exe PID 2956 wrote to memory of 2896 2956 cmd.exe WMIC.exe PID 2956 wrote to memory of 2896 2956 cmd.exe WMIC.exe PID 2800 wrote to memory of 268 2800 java.exe cmd.exe PID 2800 wrote to memory of 268 2800 java.exe cmd.exe PID 2800 wrote to memory of 268 2800 java.exe cmd.exe PID 268 wrote to memory of 436 268 cmd.exe WMIC.exe PID 268 wrote to memory of 436 268 cmd.exe WMIC.exe PID 268 wrote to memory of 436 268 cmd.exe WMIC.exe PID 2800 wrote to memory of 1500 2800 java.exe cmd.exe PID 2800 wrote to memory of 1500 2800 java.exe cmd.exe PID 2800 wrote to memory of 1500 2800 java.exe cmd.exe PID 1500 wrote to memory of 636 1500 cmd.exe WMIC.exe PID 1500 wrote to memory of 636 1500 cmd.exe WMIC.exe PID 1500 wrote to memory of 636 1500 cmd.exe WMIC.exe PID 2800 wrote to memory of 2520 2800 java.exe cmd.exe PID 2800 wrote to memory of 2520 2800 java.exe cmd.exe PID 2800 wrote to memory of 2520 2800 java.exe cmd.exe PID 2520 wrote to memory of 876 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 876 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 876 2520 cmd.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar"3⤵
- Creates scheduled task(s)
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list4⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e.jarFilesize
64KB
MD5b41fe131ce29c70de7b55c400cc1fbcb
SHA1282bd6da4b9047609a04afaab6d7495354baa30f
SHA256a96bfbf20a599ee5f39d549564bb417ab4033193fcc3576b6c7151d29a90611e
SHA512b90ecf59f78fe23ef72422f8da508448248ced7b86afcc43d1428ae2b120f90d10be10986e7d5ac44488ea12143fea9a48523784533e0c38790a1da22bda8e65
-
memory/1516-9-0x0000000002090000-0x0000000005090000-memory.dmpFilesize
48.0MB
-
memory/1516-10-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2800-21-0x0000000002200000-0x0000000005200000-memory.dmpFilesize
48.0MB
-
memory/2800-28-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2800-54-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2800-56-0x0000000002200000-0x0000000005200000-memory.dmpFilesize
48.0MB