General

  • Target

    ShippingDoc.jar

  • Size

    166KB

  • Sample

    201118-8cwkg4vaha

  • MD5

    335c639a4ea7c94f9c53d1e793f08f45

  • SHA1

    d4d26a79b9c0e80b2ecee65f850f6fed21cbbaa2

  • SHA256

    c5efeacdeadcc98e8194c98b92a0a8d385f70a3b76bc32a85d90782b2721425f

  • SHA512

    587282a10f3e2dbd16a2f18b45686b4701e30110f561babe677c6bc795ecc40b6479d3b54bb4cb69c0117eb63ba251d3531621745f6a601aa5699e1fb18a07f2

Malware Config

Targets

    • Target

      ShippingDoc.jar

    • Size

      166KB

    • MD5

      335c639a4ea7c94f9c53d1e793f08f45

    • SHA1

      d4d26a79b9c0e80b2ecee65f850f6fed21cbbaa2

    • SHA256

      c5efeacdeadcc98e8194c98b92a0a8d385f70a3b76bc32a85d90782b2721425f

    • SHA512

      587282a10f3e2dbd16a2f18b45686b4701e30110f561babe677c6bc795ecc40b6479d3b54bb4cb69c0117eb63ba251d3531621745f6a601aa5699e1fb18a07f2

    • STRRAT

      STRRAT is a remote access tool than can steal credentials and log keystrokes.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Tasks