Analysis
-
max time kernel
295s -
max time network
298s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/06/2025, 18:29
Behavioral task
behavioral1
Sample
Shipping Bill2806083 dated 28062025.PDF.jar
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
Shipping Bill2806083 dated 28062025.PDF.jar
Resource
win11-20250619-en
General
-
Target
Shipping Bill2806083 dated 28062025.PDF.jar
-
Size
207KB
-
MD5
8a30b5e4b7e88307428e06d20a2c215e
-
SHA1
258651d8b434c450f31d0ca53f7b3b0777fd6532
-
SHA256
d4a0cff4585e4c3f173848935b24350a882edd846dc58a52cff5809a30e38cc9
-
SHA512
2c8f5062f0ef5c59fce3dda07317695b3059c743e687fcb0422eadb62c745e9db5166be9ca924e521276d3a2b7b66d0a2ca1ff7d029c43c3eb8cd258570c7f94
-
SSDEEP
3072:eJYejZsTG036ohReYl2JMTs6kebaXD9Ce5Dl6Vqc4iKSW+1/jVUXLRNRb0A+q/ol:KYYev36ohts2KZDlmqc8g/psv+TaoSWH
Malware Config
Signatures
-
Strrat family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill2806083 dated 28062025.PDF.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shipping Bill2806083 dated 28062025.PDF = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Shipping Bill2806083 dated 28062025.PDF.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shipping Bill2806083 dated 28062025.PDF = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Shipping Bill2806083 dated 28062025.PDF.jar\"" java.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1472 java.exe 5172 cmd.exe 5184 cmd.exe 4544 java.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3508 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1472 wrote to memory of 5184 1472 java.exe 82 PID 1472 wrote to memory of 5184 1472 java.exe 82 PID 1472 wrote to memory of 4544 1472 java.exe 84 PID 1472 wrote to memory of 4544 1472 java.exe 84 PID 5184 wrote to memory of 3508 5184 cmd.exe 86 PID 5184 wrote to memory of 3508 5184 cmd.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Shipping Bill2806083 dated 28062025.PDF.jar"1⤵
- Drops startup file
- Adds Run key to start application
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Shipping Bill2806083 dated 28062025.PDF.jar"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5184 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Shipping Bill2806083 dated 28062025.PDF.jar"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3508
-
-
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Shipping Bill2806083 dated 28062025.PDF.jar"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Shipping Bill2806083 dated 28062025.PDF.jar"1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5172
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill2806083 dated 28062025.PDF.jar
Filesize207KB
MD58a30b5e4b7e88307428e06d20a2c215e
SHA1258651d8b434c450f31d0ca53f7b3b0777fd6532
SHA256d4a0cff4585e4c3f173848935b24350a882edd846dc58a52cff5809a30e38cc9
SHA5122c8f5062f0ef5c59fce3dda07317695b3059c743e687fcb0422eadb62c745e9db5166be9ca924e521276d3a2b7b66d0a2ca1ff7d029c43c3eb8cd258570c7f94