Edit tour
Windows
Analysis Report
0003401377294.PDF.jar
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Connects to many ports of the same IP (likely port scanning)
Uses cmd line tools excessively to alter registry or file data
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Uses reg.exe to modify the Windows registry
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Classification
- System is w10x64
- 7za.exe (PID: 6404 cmdline:
7za.exe x -y -oC:\ja r "C:\User s\user\Des ktop\00034 01377294.P DF.jar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) - conhost.exe (PID: 6400 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- java.exe (PID: 6496 cmdline:
java.exe - jar "C:\Us ers\user\D esktop\000 3401377294 .PDF.jar" IlIIlLllI. lllIlIlIll l.IIlllllI lIIl.lIlIl IIllI.IllI lIlIllIlIl Il MD5: 28733BA8C383E865338638DF5196E6FE) - conhost.exe (PID: 6492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - icacls.exe (PID: 6580 cmdline:
C:\Windows \system32\ icacls.exe C:\Progra mData\Orac le\Java\.o racle_jre_ usage /gra nt "everyo ne":(OI)(C I)M MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 6560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - attrib.exe (PID: 4664 cmdline:
attrib +H C:\Users\u ser\AppDat a\Roaming\ Microsoft\ .tmp\16801 09268319.t mp MD5: A5540E9F87D4CB083BDF8269DEC1CFF9) - conhost.exe (PID: 4788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 1092 cmdline:
cmd.exe /c "REG ADD HKEY_CURRE NT_USER\So ftware\Mic rosoft\Win dows\Curre ntVersion\ Run /v Hom e /d "C:\P rogram Fil es (x86)\J ava\jre1.8 .0_211\bin \javaw.exe -jar C:\U sers\user\ AppData\Ro aming\Micr osoft\.tmp \168010926 8319.tmp" /f" MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - reg.exe (PID: 1916 cmdline:
REG ADD HK EY_CURRENT _USER\Soft ware\Micro soft\Windo ws\Current Version\Ru n /v Home /d "C:\Pro gram Files (x86)\Jav a\jre1.8.0 _211\bin\j avaw.exe - jar C:\Use rs\user\Ap pData\Roam ing\Micros oft\.tmp\1 6801092683 19.tmp" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
- javaw.exe (PID: 6548 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.8.0_21 1\bin\java w.exe" -ja r C:\Users \user\AppD ata\Roamin g\Microsof t\.tmp\168 0109268319 .tmp MD5: 4BFEB2F64685DA09DEBB95FB981D4F65) - cmd.exe (PID: 6868 cmdline:
cmd.exe /c "REG ADD HKEY_CURRE NT_USER\So ftware\Mic rosoft\Win dows\Curre ntVersion\ Run /v Hom e /d "C:\P rogram Fil es (x86)\J ava\jre1.8 .0_211\bin \javaw.exe -jar C:\U sers\user\ AppData\Ro aming\Micr osoft\.tmp \168010926 8319.tmp" /f" MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - reg.exe (PID: 3884 cmdline:
REG ADD HK EY_CURRENT _USER\Soft ware\Micro soft\Windo ws\Current Version\Ru n /v Home /d "C:\Pro gram Files (x86)\Jav a\jre1.8.0 _211\bin\j avaw.exe - jar C:\Use rs\user\Ap pData\Roam ing\Micros oft\.tmp\1 6801092683 19.tmp" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
- javaw.exe (PID: 4444 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.8.0_21 1\bin\java w.exe" -ja r C:\Users \user\AppD ata\Roamin g\Microsof t\.tmp\168 0109268319 .tmp MD5: 4BFEB2F64685DA09DEBB95FB981D4F65) - cmd.exe (PID: 6360 cmdline:
cmd.exe /c "REG ADD HKEY_CURRE NT_USER\So ftware\Mic rosoft\Win dows\Curre ntVersion\ Run /v Hom e /d "C:\P rogram Fil es (x86)\J ava\jre1.8 .0_211\bin \javaw.exe -jar C:\U sers\user\ AppData\Ro aming\Micr osoft\.tmp \168010926 8319.tmp" /f" MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - reg.exe (PID: 6572 cmdline:
REG ADD HK EY_CURRENT _USER\Soft ware\Micro soft\Windo ws\Current Version\Ru n /v Home /d "C:\Pro gram Files (x86)\Jav a\jre1.8.0 _211\bin\j avaw.exe - jar C:\Use rs\user\Ap pData\Roam ing\Micros oft\.tmp\1 6801092683 19.tmp" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
Timestamp: | 192.168.2.579.110.62.20449698450292853044 03/29/23-09:48:32.342321 |
SID: | 2853044 |
Source Port: | 49698 |
Destination Port: | 45029 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.579.110.62.20449698450292853043 03/29/23-09:48:32.415540 |
SID: | 2853043 |
Source Port: | 49698 |
Destination Port: | 45029 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 79.110.62.204192.168.2.545029497002853042 03/29/23-09:48:49.262986 |
SID: | 2853042 |
Source Port: | 45029 |
Destination Port: | 49700 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.579.110.62.20449699450292853043 03/29/23-09:48:45.369313 |
SID: | 2853043 |
Source Port: | 49699 |
Destination Port: | 45029 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 79.110.62.204192.168.2.545029496992853042 03/29/23-09:48:44.717184 |
SID: | 2853042 |
Source Port: | 45029 |
Destination Port: | 49699 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.579.110.62.20449700450292853043 03/29/23-09:48:50.129851 |
SID: | 2853043 |
Source Port: | 49700 |
Destination Port: | 45029 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 79.110.62.204192.168.2.545029496982853042 03/29/23-09:48:29.776304 |
SID: | 2853042 |
Source Port: | 45029 |
Destination Port: | 49698 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |