Windows
Analysis Report
Tax_Documents_PDF.jar
Overview
General Information
Detection
Dynamic Stealer
Score: | 96 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Sigma detected: Register Jar In Run Key
Suricata IDS alerts for network traffic
Yara detected Dynamic Stealer
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Java Jar creates autostart registry key (Windows persistence behavior)
Uses cmd line tools excessively to alter registry or file data
Yara detected AllatoriJARObfuscator
Yara detected Skidfuscator
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
Java Jar is obfuscated using Allatori
Launches a Java Jar file from a suspicious file location
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Shell Process Spawned by Java.EXE
Sigma detected: Use Short Name Path in Command Line
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 7024 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Prog ram Files (x86)\Java \jre-1.8\b in\java.ex e" -javaag ent:"C:\Us ers\user~1 \AppData\L ocal\Temp\ jartracer. jar" -jar "C:\Users\ user\Deskt op\Tax_Doc uments_PDF .jar"" >> C:\cmdline start.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 6672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) java.exe (PID: 5780 cmdline:
"C:\Progra m Files (x 86)\Java\j re-1.8\bin \java.exe" -javaagen t:"C:\User s\user~1\A ppData\Loc al\Temp\ja rtracer.ja r" -jar "C :\Users\us er\Desktop \Tax_Docum ents_PDF.j ar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA) icacls.exe (PID: 7180 cmdline:
C:\Windows \system32\ icacls.exe C:\Progra mData\Orac le\Java\.o racle_jre_ usage /gra nt "everyo ne":(OI)(C I)M MD5: 2E49585E4E08565F52090B144062F97E) conhost.exe (PID: 7204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 7364 cmdline:
cmd.exe /c "REG ADD HKEY_CURRE NT_USER\So ftware\Mic rosoft\Win dows\Curre ntVersion\ Run /v Hom e /d "C:\P rogram Fil es (x86)\J ava\jre-1. 8\bin\java w.exe -jar C:\Users\ user\AppDa ta\Roaming \Microsoft \.tmp\1738 705111069. tmp" /f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 7372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) reg.exe (PID: 7412 cmdline:
REG ADD HK EY_CURRENT _USER\Soft ware\Micro soft\Windo ws\Current Version\Ru n /v Home /d "C:\Pro gram Files (x86)\Jav a\jre-1.8\ bin\javaw. exe -jar C :\Users\us er\AppData \Roaming\M icrosoft\. tmp\173870 5111069.tm p" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
javaw.exe (PID: 7588 cmdline:
"C:\Progra m Files (x 86)\Java\j re-1.8\bin \javaw.exe " -jar C:\ Users\user \AppData\R oaming\Mic rosoft\.tm p\17387051 11069.tmp MD5: 6E0F4F812AE02FBCB744A929E74A04B8) cmd.exe (PID: 7664 cmdline:
cmd.exe /c "REG ADD HKEY_CURRE NT_USER\So ftware\Mic rosoft\Win dows\Curre ntVersion\ Run /v Hom e /d "C:\P rogram Fil es (x86)\J ava\jre-1. 8\bin\java w.exe -jar C:\Users\ user\AppDa ta\Roaming \Microsoft \.tmp\1738 705111069. tmp" /f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 7672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) reg.exe (PID: 7712 cmdline:
REG ADD HK EY_CURRENT _USER\Soft ware\Micro soft\Windo ws\Current Version\Ru n /v Home /d "C:\Pro gram Files (x86)\Jav a\jre-1.8\ bin\javaw. exe -jar C :\Users\us er\AppData \Roaming\M icrosoft\. tmp\173870 5111069.tm p" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
javaw.exe (PID: 7892 cmdline:
"C:\Progra m Files (x 86)\Java\j re-1.8\bin \javaw.exe " -jar C:\ Users\user \AppData\R oaming\Mic rosoft\.tm p\17387051 11069.tmp MD5: 6E0F4F812AE02FBCB744A929E74A04B8) cmd.exe (PID: 7964 cmdline:
cmd.exe /c "REG ADD HKEY_CURRE NT_USER\So ftware\Mic rosoft\Win dows\Curre ntVersion\ Run /v Hom e /d "C:\P rogram Fil es (x86)\J ava\jre-1. 8\bin\java w.exe -jar C:\Users\ user\AppDa ta\Roaming \Microsoft \.tmp\1738 705111069. tmp" /f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 7972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) reg.exe (PID: 8004 cmdline:
REG ADD HK EY_CURRENT _USER\Soft ware\Micro soft\Windo ws\Current Version\Ru n /v Home /d "C:\Pro gram Files (x86)\Jav a\jre-1.8\ bin\javaw. exe -jar C :\Users\us er\AppData \Roaming\M icrosoft\. tmp\173870 5111069.tm p" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
INDICATOR_JAVA_Packed_Allatori | Detects files packed with Allatori Java Obfuscator | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DynamicStealer | Yara detected Dynamic Stealer | Joe Security | ||
JoeSecurity_DynamicStealer | Yara detected Dynamic Stealer | Joe Security | ||
JoeSecurity_Skidfuscator | Yara detected Skidfuscator | Joe Security | ||
JoeSecurity_DynamicStealer | Yara detected Dynamic Stealer | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
Click to see the 22 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali: |
Source: | Author: frack113, Nasreddine Bencherchali: |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |