Loading ...

Play interactive tourEdit tour

Analysis Report PO For-COVID-19 Products.jar

Overview

General Information

Sample Name:PO For-COVID-19 Products.jar
Analysis ID:279755
MD5:1d5620ec8f5dc6de6d0c98c53efc9e5b
SHA1:08fff82996a4590474ad95c43cf0ffb1df604f87
SHA256:8fa51db15722c9e5ae2ff0344cea3442c090a70f99ebf382e65e39ff1645e37d

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6824 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\PO For-COVID-19 Products.jar'' >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 6876 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\PO For-COVID-19 Products.jar' MD5: 28733BA8C383E865338638DF5196E6FE)
      • icacls.exe (PID: 6940 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: PO For-COVID-19 Products.jarVirustotal: Detection: 55%Perma Link
Source: PO For-COVID-19 Products.jarReversingLabs: Detection: 58%
Source: java.exe, 00000002.00000002.207183760.000000000A3C6000.00000004.00000001.sdmp, java.exe, 00000002.00000002.206710672.0000000004F73000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.207119164.0000000005331000.00000004.00000001.sdmp, java.exe, 00000002.00000002.207194480.000000000A3D6000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02D03A2B2_2_02D03A2B
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CFEC172_2_02CFEC17
Source: classification engineClassification label: mal48.winJAR@7/2@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PO For-COVID-19 Products.jarVirustotal: Detection: 55%
Source: PO For-COVID-19 Products.jarReversingLabs: Detection: 58%
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\PO For-COVID-19 Products.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\PO For-COVID-19 Products.jar'
Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\PO For-COVID-19 Products.jar' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02C5B377 push 00000000h; mov dword ptr [esp], esp2_2_02C5B39D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02C5BB27 push 00000000h; mov dword ptr [esp], esp2_2_02C5BB4D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02C5A1CA push ecx; ret 2_2_02C5A1DA
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02C5A1DB push ecx; ret 2_2_02C5A1E5
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02C5B907 push 00000000h; mov dword ptr [esp], esp2_2_02C5B92D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02C5C437 push 00000000h; mov dword ptr [esp], esp2_2_02C5C45D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02C62D44 push eax; retf 2_2_02C62D45
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CF9751 push cs; retf 2_2_02CF9771
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CF9C1B pushfd ; iretd 2_2_02CF9C1E
Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: java.exe, 00000002.00000002.208113736.0000000015460000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000002.206017236.0000000002B50000.00000004.00000001.sdmpBinary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.206017236.0000000002B50000.00000004.00000001.sdmpBinary or memory string: |[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000002.208113736.0000000015460000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000002.208113736.0000000015460000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: java.exe, 00000002.00000002.208113736.0000000015460000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CFA298 LdrInitializeThunk,2_2_02CFA298
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeMemory protected: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\PO For-COVID-19 Products.jar' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02C50380 cpuid 2_2_02C50380

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationServices File Permissions Weakness1Services File Permissions Weakness1Services File Permissions Weakness1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection11Disable or Modify Tools1LSASS MemorySystem Information Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279755 Sample: PO For-COVID-19 Products.jar Startdate: 31/08/2020 Architecture: WINDOWS Score: 48 18 Multi AV Scanner detection for submitted file 2->18 8 cmd.exe 2 2->8         started        process3 process4 10 java.exe 5 8->10         started        12 conhost.exe 8->12         started        process5 14 icacls.exe 1 10->14         started        process6 16 conhost.exe 14->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.