Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    15-10-2021 12:30

General

  • Target

    PAYMENT SLIP 2.jar

  • Size

    184KB

  • MD5

    6f8a0a71fa4e9b4f871bd262dda7c0c1

  • SHA1

    8ae0166ac5d5a98cd379fd124829a5877d16e770

  • SHA256

    6c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1

  • SHA512

    1b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP 2.jar"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\PAYMENT SLIP 2.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\PAYMENT SLIP 2.jar"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Program Files\Java\jre7\bin\java.exe
          "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
            5⤵
              PID:1472
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2028
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:512
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1624
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1528
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
                6⤵
                  PID:820
              • C:\Windows\system32\cmd.exe
                cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1388
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
                  6⤵
                    PID:556
              • C:\Windows\system32\cmd.exe
                cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1676
        • C:\Windows\system32\schtasks.exe
          schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"
          1⤵
          • Creates scheduled task(s)
          PID:1068

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Java\jre7\PAYMENT SLIP 2.jar

          MD5

          6f8a0a71fa4e9b4f871bd262dda7c0c1

          SHA1

          8ae0166ac5d5a98cd379fd124829a5877d16e770

          SHA256

          6c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1

          SHA512

          1b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc

        • C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna8294246512392381824.dll

          MD5

          e02979ecd43bcc9061eb2b494ab5af50

          SHA1

          3122ac0e751660f646c73b10c4f79685aa65c545

          SHA256

          a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

          SHA512

          1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3456797065-1076791440-4146276586-1000\83aa4cc77f591dfc2374580bbd95f6ba_9904da6a-19c3-4a6e-a0a9-89cb601578fd

          MD5

          c8366ae350e7019aefc9d1e6e6a498c6

          SHA1

          5731d8a3e6568a5f2dfbbc87e3db9637df280b61

          SHA256

          11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

          SHA512

          33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

        • C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar

          MD5

          6f8a0a71fa4e9b4f871bd262dda7c0c1

          SHA1

          8ae0166ac5d5a98cd379fd124829a5877d16e770

          SHA256

          6c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1

          SHA512

          1b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc

        • C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

          MD5

          acfb5b5fd9ee10bf69497792fd469f85

          SHA1

          0e0845217c4907822403912ad6828d8e0b256208

          SHA256

          b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

          SHA512

          e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

        • C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

          MD5

          2f4a99c2758e72ee2b59a73586a2322f

          SHA1

          af38e7c4d0fc73c23ecd785443705bfdee5b90bf

          SHA256

          24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

          SHA512

          b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

        • C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

          MD5

          b33387e15ab150a7bf560abdc73c3bec

          SHA1

          66b8075784131f578ef893fd7674273f709b9a4c

          SHA256

          2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

          SHA512

          25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

        • C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

          MD5

          e1aa38a1e78a76a6de73efae136cdb3a

          SHA1

          c463da71871f780b2e2e5dba115d43953b537daf

          SHA256

          2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

          SHA512

          fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

        • C:\Users\Admin\PAYMENT SLIP 2.jar

          MD5

          6f8a0a71fa4e9b4f871bd262dda7c0c1

          SHA1

          8ae0166ac5d5a98cd379fd124829a5877d16e770

          SHA256

          6c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1

          SHA512

          1b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc

        • C:\Users\Admin\lib\jna-5.5.0.jar

          MD5

          acfb5b5fd9ee10bf69497792fd469f85

          SHA1

          0e0845217c4907822403912ad6828d8e0b256208

          SHA256

          b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

          SHA512

          e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

        • C:\Users\Admin\lib\jna-platform-5.5.0.jar

          MD5

          2f4a99c2758e72ee2b59a73586a2322f

          SHA1

          af38e7c4d0fc73c23ecd785443705bfdee5b90bf

          SHA256

          24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

          SHA512

          b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

        • C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

          MD5

          b33387e15ab150a7bf560abdc73c3bec

          SHA1

          66b8075784131f578ef893fd7674273f709b9a4c

          SHA256

          2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

          SHA512

          25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

        • C:\Users\Admin\lib\system-hook-3.5.jar

          MD5

          e1aa38a1e78a76a6de73efae136cdb3a

          SHA1

          c463da71871f780b2e2e5dba115d43953b537daf

          SHA256

          2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

          SHA512

          fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

        • \Users\Admin\AppData\Local\Temp\jna-63116079\jna7341921947587976436.dll

          MD5

          e02979ecd43bcc9061eb2b494ab5af50

          SHA1

          3122ac0e751660f646c73b10c4f79685aa65c545

          SHA256

          a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

          SHA512

          1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

        • \Users\Admin\AppData\Local\Temp\jna-63116079\jna8294246512392381824.dll

          MD5

          e02979ecd43bcc9061eb2b494ab5af50

          SHA1

          3122ac0e751660f646c73b10c4f79685aa65c545

          SHA256

          a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

          SHA512

          1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

        • memory/512-102-0x0000000000000000-mapping.dmp

        • memory/556-107-0x0000000000000000-mapping.dmp

        • memory/820-105-0x0000000000000000-mapping.dmp

        • memory/1068-90-0x0000000000000000-mapping.dmp

        • memory/1388-106-0x0000000000000000-mapping.dmp

        • memory/1472-101-0x0000000000000000-mapping.dmp

        • memory/1504-59-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/1504-53-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

          Filesize

          8KB

        • memory/1504-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/1504-57-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/1504-60-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/1504-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/1504-62-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/1504-63-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/1504-55-0x0000000002200000-0x0000000002470000-memory.dmp

          Filesize

          2.4MB

        • memory/1504-54-0x0000000002200000-0x0000000002470000-memory.dmp

          Filesize

          2.4MB

        • memory/1528-104-0x0000000000000000-mapping.dmp

        • memory/1624-103-0x0000000000000000-mapping.dmp

        • memory/1676-86-0x0000000000000000-mapping.dmp

        • memory/1748-94-0x0000000000420000-0x0000000000421000-memory.dmp

          Filesize

          4KB

        • memory/1748-93-0x00000000022B0000-0x0000000002520000-memory.dmp

          Filesize

          2.4MB

        • memory/1748-108-0x0000000000420000-0x0000000000421000-memory.dmp

          Filesize

          4KB

        • memory/1748-87-0x0000000000000000-mapping.dmp

        • memory/1824-73-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1824-66-0x0000000000000000-mapping.dmp

        • memory/1824-76-0x0000000002320000-0x0000000002590000-memory.dmp

          Filesize

          2.4MB

        • memory/1824-71-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1868-88-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1868-82-0x0000000001FF0000-0x0000000002260000-memory.dmp

          Filesize

          2.4MB

        • memory/1868-78-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1868-72-0x0000000000000000-mapping.dmp