Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Tax_Documents_PDF.jar

Zip archive data, at least v2.0 to extract, compression method=deflate

initial sample

Details

Filetype:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.995977520839823
Filename:	Tax_Documents_PDF.jar
Filesize:	709754
MD5:	2f49427faa6c14c15ed0c6f81827acd8
SHA1:	c38853655041183c2e9ef3cdb3aa47a5436cc110
SHA256:	e042bfca3591d883de83fa82533a7be0995c877c276e0a3e48d43637f874bb96
SHA512:	1070af848e77e181a3fec94ba117c4c8130274c7e3757c0fdf344dc9e3bba48e068970d096b9edd5904ea8a709ab3a66dbdea75e7de63516e9c42c388e0ffe7c
SSDEEP:	12288:yY52PJ8Sf4HO6GQ0hkF10quqljCt7k3ropFRS1cuvXr4JaFR37GfUVSQxOtvmCPp:z5+DfCO6G9+YtursyRvXkM31Ovmd9g3n
Preview:	PK.........`CZ................META-INF/..PK..............PK.........qCZ................A.class.Z{@[.u?GH.B....1..c...$.[ ........6..."]..E.B....1.[.-].mm.f........V.N.h.f.^........e.......z....>....w....}.......[....M(#`...P~E\..e1..............!...L....a

C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp
Category:	dropped
Dump:	1738705111069.tmp.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.961023261500021
Encrypted:	false
Ssdeep:	12288:6vnFQJ/HXtwH94lpItgrg+/LRr+BDYNCHOgSpCRxA3UuM2ZcSu1DMu:6vFQJ9wd4Xzrg+FGeCH34RUuxZfu1DMu
Size:	654956
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Register Jar In Run Key	Persistence and Installation Behavior	Registry Run Keys / Startup Folder
Creates autostart registry keys to launch java	Boot Survival	Registry Run Keys / Startup Folder
Java Jar creates autostart registry key (Windows persistence behavior)	Boot Survival	Registry Run Keys / Startup Folder
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Direct Autorun Keys Modification	System Summary
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE	System Summary
Sigma detected: Shell Process Spawned by Java.EXE	System Summary
Uses reg.exe to modify the Windows registry	System Summary	Modify Registry
Spawns processes	System Summary	Process Injection

C:\cmdlinestart.log

ASCII text, with CRLF, LF line terminators

dropped

Details

File:	C:\cmdlinestart.log
Category:	dropped
Dump:	cmdlinestart.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\SysWOW64\cmd.exe
Type:	ASCII text, with CRLF, LF line terminators
Entropy:	1.9483450461438205
Encrypted:	false
Ssdeep:	24:pm1aBiR9E/MRom1aBiR9E/MRom1aBiR9KMRom1aBiR9KMRom1aBiR9K7:MbEeJbEeJbXJbXJb2
Size:	2955
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Yara detected AllatoriJARObfuscator	Data Obfuscation
Sigma detected: Use Short Name Path in Command Line	System Summary
Spawns processes	System Summary	Process Injection

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp
Category:	dropped
Dump:	b5820291038aa69c.timestamp.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.873140679513134
Encrypted:	false
Ssdeep:	3:oFj4I5vpm4USrtQiQUn:oJ5br0Un
Size:	52
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\hsperfdata_user\5780

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\hsperfdata_user\5780
Category:	dropped
Dump:	5780.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Type:	data
Entropy:	1.3126972606001683
Encrypted:	false
Ssdeep:	96:M73rmA8GCox5+xu92dSSd8PUMVSGmKH41yo10Y:M7j8GTx5+xu924Pw1KH4w/
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7588

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\hsperfdata_user\7588
Category:	dropped
Dump:	7588.14.dr
ID:	dr_6
Target ID:	14
Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Type:	data
Entropy:	1.2865105243694104
Encrypted:	false
Ssdeep:	96:FYMrPx8GH0Cx656zD6CXcw0g0Xx3J9uSGKbHG1bowm6:FYg8Ghx656zD6K0p1FHGd
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7892

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\hsperfdata_user\7892
Category:	dropped
Dump:	7892.19.dr
ID:	dr_7
Target ID:	19
Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Type:	data
Entropy:	1.2868899453942177
Encrypted:	false
Ssdeep:	96:bY4r+38GHb+J5lzD6nrTwNDMIlF6uSGKbHG1bowm6:bYd8G7+J5lzD6QgIlI1FHGd
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Local\Temp\m17387051107872017907981161292762.tmp

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\m17387051107872017907981161292762.tmp
Category:	dropped
Dump:	m17387051107872017907981161292762.tmp.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.961023261500021
Encrypted:	false
Ssdeep:	12288:6vnFQJ/HXtwH94lpItgrg+/LRr+BDYNCHOgSpCRxA3UuM2ZcSu1DMu:6vFQJ9wd4Xzrg+FGeCH34RUuxZfu1DMu
Size:	654956
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Type:	data
Entropy:	0.9111711733157262
Encrypted:	false
Ssdeep:	3:/lwlt7n:WNn
Size:	45
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar"" >> C:\cmdlinestart.log 2>&1

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

"C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\reg.exe

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\reg.exe