df01a1ef7f35a2529131753c700f9a27bd4bca601ad641018799d1458b8f2df8

General

Target

EFIN_REPORTS_PDF.jar
Size

46KB
MD5

c04b8679408ff17a1470e3c0829b1c2a
SHA1

6e84f8390c740af0ff44df33a25dd47a7655605b
SHA256

df01a1ef7f35a2529131753c700f9a27bd4bca601ad641018799d1458b8f2df8
SHA512

e09206f675500cdb7ea43614b754a5372476e8f03205a667c5ad73e0346f4b9f5176bc3e7716640ae15b454c3ebdb768449c8f444a3244d7c08aceebdcc86438
SSDEEP

768:ix7L5dF/e60IM45yHX2m2et7lu9o876b1co1s7Tim3w9my8jSoZC4Pcje2JHp:m7LV64kHXnUDiL+79gkyKLKjtJ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	java.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	java.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4412	schtasks.exe
4032	schtasks.exe
4048	schtasks.exe
4772	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
452	java.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3376	452	java.exe	85
PID 452 wrote to memory of 3376	452	java.exe	85
PID 3376 wrote to memory of 4412	3376	cmd.exe	87
PID 3376 wrote to memory of 4412	3376	cmd.exe	87
PID 680 wrote to memory of 3772	680	javaw.exe	89
PID 680 wrote to memory of 3772	680	javaw.exe	89
PID 3772 wrote to memory of 4032	3772	cmd.exe	91
PID 3772 wrote to memory of 4032	3772	cmd.exe	91
PID 1376 wrote to memory of 3584	1376	javaw.exe	94
PID 1376 wrote to memory of 3584	1376	javaw.exe	94
PID 3584 wrote to memory of 4048	3584	cmd.exe	96
PID 3584 wrote to memory of 4048	3584	cmd.exe	96
PID 4452 wrote to memory of 4568	4452	javaw.exe	98
PID 4452 wrote to memory of 4568	4452	javaw.exe	98
PID 4568 wrote to memory of 4772	4568	cmd.exe	100
PID 4568 wrote to memory of 4772	4568	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\EFIN_REPORTS_PDF.jar
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c schtasks /create /tn Nvidia_startup /tr C:\Users\Admin\AppData\Local\Temp\Client-all.jar /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn Nvidia_startup /tr C:\Users\Admin\AppData\Local\Temp\Client-all.jar /sc minute /mo 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4412

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Client-all.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\system32\cmd.exe
  cmd /c schtasks /create /tn Nvidia_startup /tr C:\Users\Admin\AppData\Local\Temp\Client-all.jar /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn Nvidia_startup /tr C:\Users\Admin\AppData\Local\Temp\Client-all.jar /sc minute /mo 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4032

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Client-all.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\system32\cmd.exe
  cmd /c schtasks /create /tn Nvidia_startup /tr C:\Users\Admin\AppData\Local\Temp\Client-all.jar /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn Nvidia_startup /tr C:\Users\Admin\AppData\Local\Temp\Client-all.jar /sc minute /mo 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4048

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Client-all.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\system32\cmd.exe
  cmd /c schtasks /create /tn Nvidia_startup /tr C:\Users\Admin\AppData\Local\Temp\Client-all.jar /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn Nvidia_startup /tr C:\Users\Admin\AppData\Local\Temp\Client-all.jar /sc minute /mo 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
71ef0015761eaaf44e41c8e879f5e51b

SHA1
6f9c614505b7a9816846542abe1006070c0aed32

SHA256
072bf83addb4d0d553b4a9a9d8f3721185f6dab90a39572967af62581f4c9eaf

SHA512
b7d71b51189c7f78afc9244866700af8fa7c68c8178cdd02e3701ec0c9c614cb6941485b0dd28135239cc96b5e280c5f14ac59603eb1cbb2f02c83efa13b7d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-all.jar

Filesize
46KB

MD5
c04b8679408ff17a1470e3c0829b1c2a

SHA1
6e84f8390c740af0ff44df33a25dd47a7655605b

SHA256
df01a1ef7f35a2529131753c700f9a27bd4bca601ad641018799d1458b8f2df8

SHA512
e09206f675500cdb7ea43614b754a5372476e8f03205a667c5ad73e0346f4b9f5176bc3e7716640ae15b454c3ebdb768449c8f444a3244d7c08aceebdcc86438

Download Submit
memory/452-22-0x00000224EAB80000-0x00000224EAB81000-memory.dmp

Filesize
4KB

Download
memory/452-25-0x00000224EAB80000-0x00000224EAB81000-memory.dmp

Filesize
4KB

Download
memory/452-29-0x00000224EAB80000-0x00000224EAB81000-memory.dmp

Filesize
4KB

Download
memory/452-2-0x00000224EC440000-0x00000224EC6B0000-memory.dmp

Filesize
2.4MB

Download
memory/452-38-0x00000224EC440000-0x00000224EC6B0000-memory.dmp

Filesize
2.4MB

Download
memory/452-18-0x00000224EAB80000-0x00000224EAB81000-memory.dmp

Filesize
4KB

Download
memory/452-15-0x00000224EAB80000-0x00000224EAB81000-memory.dmp

Filesize
4KB

Download
memory/680-39-0x000001FC8ECD0000-0x000001FC8EF40000-memory.dmp

Filesize
2.4MB

Download
memory/680-52-0x000001FC8ECB0000-0x000001FC8ECB1000-memory.dmp

Filesize
4KB

Download
memory/680-53-0x000001FC8ECD0000-0x000001FC8EF40000-memory.dmp

Filesize
2.4MB

Download
memory/1376-69-0x00000263B5580000-0x00000263B5581000-memory.dmp

Filesize
4KB

Download
memory/4452-84-0x000001DA44CF0000-0x000001DA44CF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads