Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
Resource
win10v2004-20240508-en
General
-
Target
DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
-
Size
128KB
-
MD5
db46adcfae462e7c475c171fbe66df82
-
SHA1
2b43211053d00147b2cb9847843911c771fd3db4
-
SHA256
02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
-
SHA512
25beab216af2dd7ff9fe4db6a7a4b1246ee225ef9ab48af2873bf5076b8b22ba2c75224592e6b34bddfbb8718a754ffd7c63db6167ef1992b04db143c58e377b
-
SSDEEP
3072:VR/6ZQvChcDfJNBOFJKMRXcCqfrCUMBpXOg84WoUeonNTFN:LdvCGJN0FJ1RXcgBpXOjOjSNTFN
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2972 attrib.exe 884 attrib.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GKXeW0Yke7 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\9bor9J6cRd\\unXX0JIhwW.txt\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GKXeW0Yke7 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\9bor9J6cRd\\unXX0JIhwW.txt\"" reg.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\9bor9J6cRd\Desktop.ini java.exe File opened for modification C:\Users\Admin\AppData\Roaming\9bor9J6cRd\Desktop.ini attrib.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\tem.txt java.exe File opened for modification C:\Windows\tem.txt java.exe File created C:\Windows\tem.txt javaw.exe File opened for modification C:\Windows\tem.txt javaw.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2504 reg.exe 1244 reg.exe 1360 reg.exe 2956 reg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2088 java.exe 2672 javaw.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2956 2088 java.exe 29 PID 2088 wrote to memory of 2956 2088 java.exe 29 PID 2088 wrote to memory of 2956 2088 java.exe 29 PID 2088 wrote to memory of 2504 2088 java.exe 30 PID 2088 wrote to memory of 2504 2088 java.exe 30 PID 2088 wrote to memory of 2504 2088 java.exe 30 PID 2088 wrote to memory of 2972 2088 java.exe 31 PID 2088 wrote to memory of 2972 2088 java.exe 31 PID 2088 wrote to memory of 2972 2088 java.exe 31 PID 2088 wrote to memory of 884 2088 java.exe 32 PID 2088 wrote to memory of 884 2088 java.exe 32 PID 2088 wrote to memory of 884 2088 java.exe 32 PID 2088 wrote to memory of 2672 2088 java.exe 33 PID 2088 wrote to memory of 2672 2088 java.exe 33 PID 2088 wrote to memory of 2672 2088 java.exe 33 PID 2672 wrote to memory of 1244 2672 javaw.exe 34 PID 2672 wrote to memory of 1244 2672 javaw.exe 34 PID 2672 wrote to memory of 1244 2672 javaw.exe 34 PID 2672 wrote to memory of 1360 2672 javaw.exe 35 PID 2672 wrote to memory of 1360 2672 javaw.exe 35 PID 2672 wrote to memory of 1360 2672 javaw.exe 35 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2972 attrib.exe 884 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v GKXeW0Yke7 /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\9bor9J6cRd\unXX0JIhwW.txt\"" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:2956
-
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GKXeW0Yke7 /f2⤵
- Modifies registry key
PID:2504
-
-
C:\Windows\system32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\9bor9J6cRd\*.*"2⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2972
-
-
C:\Windows\system32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\9bor9J6cRd"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:884
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\9bor9J6cRd\unXX0JIhwW.txt"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v GKXeW0Yke7 /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\9bor9J6cRd\unXX0JIhwW.txt\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1244
-
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GKXeW0Yke7 /f3⤵
- Modifies registry key
PID:1360
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
Filesize
128KB
MD5db46adcfae462e7c475c171fbe66df82
SHA12b43211053d00147b2cb9847843911c771fd3db4
SHA25602d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
SHA51225beab216af2dd7ff9fe4db6a7a4b1246ee225ef9ab48af2873bf5076b8b22ba2c75224592e6b34bddfbb8718a754ffd7c63db6167ef1992b04db143c58e377b