Analysis
-
max time kernel
293s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2025, 18:29
Behavioral task
behavioral1
Sample
Shipping Bill2806083 dated 28062025.PDF.jar
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
Shipping Bill2806083 dated 28062025.PDF.jar
Resource
win11-20250619-en
General
-
Target
Shipping Bill2806083 dated 28062025.PDF.jar
-
Size
207KB
-
MD5
8a30b5e4b7e88307428e06d20a2c215e
-
SHA1
258651d8b434c450f31d0ca53f7b3b0777fd6532
-
SHA256
d4a0cff4585e4c3f173848935b24350a882edd846dc58a52cff5809a30e38cc9
-
SHA512
2c8f5062f0ef5c59fce3dda07317695b3059c743e687fcb0422eadb62c745e9db5166be9ca924e521276d3a2b7b66d0a2ca1ff7d029c43c3eb8cd258570c7f94
-
SSDEEP
3072:eJYejZsTG036ohReYl2JMTs6kebaXD9Ce5Dl6Vqc4iKSW+1/jVUXLRNRb0A+q/ol:KYYev36ohts2KZDlmqc8g/psv+TaoSWH
Malware Config
Signatures
-
Strrat family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill2806083 dated 28062025.PDF.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shipping Bill2806083 dated 28062025.PDF = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Shipping Bill2806083 dated 28062025.PDF.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shipping Bill2806083 dated 28062025.PDF = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Shipping Bill2806083 dated 28062025.PDF.jar\"" java.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1448 java.exe 5668 cmd.exe 2872 cmd.exe 2908 java.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4560 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1448 wrote to memory of 5668 1448 java.exe 89 PID 1448 wrote to memory of 5668 1448 java.exe 89 PID 1448 wrote to memory of 2908 1448 java.exe 90 PID 1448 wrote to memory of 2908 1448 java.exe 90 PID 5668 wrote to memory of 4560 5668 cmd.exe 95 PID 5668 wrote to memory of 4560 5668 cmd.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Shipping Bill2806083 dated 28062025.PDF.jar"1⤵
- Drops startup file
- Adds Run key to start application
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Shipping Bill2806083 dated 28062025.PDF.jar"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5668 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Shipping Bill2806083 dated 28062025.PDF.jar"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4560
-
-
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Shipping Bill2806083 dated 28062025.PDF.jar"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Shipping Bill2806083 dated 28062025.PDF.jar"1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2872
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Shipping Bill2806083 dated 28062025.PDF.jar
Filesize207KB
MD58a30b5e4b7e88307428e06d20a2c215e
SHA1258651d8b434c450f31d0ca53f7b3b0777fd6532
SHA256d4a0cff4585e4c3f173848935b24350a882edd846dc58a52cff5809a30e38cc9
SHA5122c8f5062f0ef5c59fce3dda07317695b3059c743e687fcb0422eadb62c745e9db5166be9ca924e521276d3a2b7b66d0a2ca1ff7d029c43c3eb8cd258570c7f94
-
Filesize
46B
MD524e065d0ebd8442d90edae56e3eda8d3
SHA16f848b248203f11fe3d14b0b54a94e71e04500db
SHA256180b67a9611e296d6a472cef416b335c135b469c74e66bb878e825a583f55631
SHA512b3d7389ddaca45fa7dd86af0e966a19bb51bfd2095c3db38fdcc228bd77fe27b9d94705d00c2ae98af23678f012901a7302c638bfa63a7ece53c4178a3c294f5