Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Tax_Documents_PDF.jar

Overview

General Information

Sample name:Tax_Documents_PDF.jar
Analysis ID:1606866
MD5:2f49427faa6c14c15ed0c6f81827acd8
SHA1:c38853655041183c2e9ef3cdb3aa47a5436cc110
SHA256:e042bfca3591d883de83fa82533a7be0995c877c276e0a3e48d43637f874bb96
Tags:jaruser-malrpt
Infos:

Detection

Dynamic Stealer
Score:96
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Register Jar In Run Key
Suricata IDS alerts for network traffic
Yara detected Dynamic Stealer
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Java Jar creates autostart registry key (Windows persistence behavior)
Uses cmd line tools excessively to alter registry or file data
Yara detected AllatoriJARObfuscator
Yara detected Skidfuscator
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
Java Jar is obfuscated using Allatori
Launches a Java Jar file from a suspicious file location
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Shell Process Spawned by Java.EXE
Sigma detected: Use Short Name Path in Command Line
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

  • System is w10x64
  • cmd.exe (PID: 7024 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar"" >> C:\cmdlinestart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • java.exe (PID: 5780 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
      • icacls.exe (PID: 7180 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)
        • conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7364 cmdline: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7412 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • javaw.exe (PID: 7588 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
    • cmd.exe (PID: 7664 cmdline: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7712 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • javaw.exe (PID: 7892 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
    • cmd.exe (PID: 7964 cmdline: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 8004 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\cmdlinestart.logJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
    C:\cmdlinestart.logINDICATOR_JAVA_Packed_AllatoriDetects files packed with Allatori Java ObfuscatorditekSHen
    • 0x158:$s1: # Obfuscation by Allatori Obfuscator
    • 0x3a7:$s1: # Obfuscation by Allatori Obfuscator
    • 0x5f6:$s1: # Obfuscation by Allatori Obfuscator
    • 0x845:$s1: # Obfuscation by Allatori Obfuscator
    • 0xa94:$s1: # Obfuscation by Allatori Obfuscator
    SourceRuleDescriptionAuthorStrings
    00000013.00000003.1541607047.00000000158B7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DynamicStealerYara detected Dynamic StealerJoe Security
      0000000E.00000003.1457672595.00000000159DD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DynamicStealerYara detected Dynamic StealerJoe Security
        00000002.00000002.2499362699.0000000016B10000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_SkidfuscatorYara detected SkidfuscatorJoe Security
          00000013.00000003.1541316162.000000001589F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DynamicStealerYara detected Dynamic StealerJoe Security
            00000002.00000002.2495777355.000000000A5F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
              Click to see the 22 entries

              System Summary

              barindex
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f, CommandLine: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7364, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f, ProcessId: 7412, ProcessName: reg.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", CommandLine: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 5780, ParentProcessName: java.exe, ProcessCommandLine: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", ProcessId: 7364, ProcessName: cmd.exe
              Source: Process startedAuthor: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali: Data: Command: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", CommandLine: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 5780, ParentProcessName: java.exe, ProcessCommandLine: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", ProcessId: 7364, ProcessName: cmd.exe
              Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar"" >> C:\cmdlinestart.log 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar"" >> C:\cmdlinestart.log 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5400, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar"" >> C:\cmdlinestart.log 2>&1, ProcessId: 7024, ProcessName: cmd.exe

              Persistence and Installation Behavior

              barindex
              Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", CommandLine: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 5780, ParentProcessName: java.exe, ProcessCommandLine: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f", ProcessId: 7364, ProcessName: cmd.exe