Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 06:38
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT SLIP.jar
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
PAYMENT SLIP.jar
Resource
win10-en-20210920
General
-
Target
PAYMENT SLIP.jar
-
Size
184KB
-
MD5
70ba18fc4b0a9904afad5f33870df249
-
SHA1
ff4e7f67c62ede5dfd3513c9b6475ff2cbc1b019
-
SHA256
ca9d7a7c040125eed02d41543978fc9b9f9f0d084f0d0a5c1a3f99a21e0f400b
-
SHA512
061fba8446ed801e2daccc6d7ab911590b923941d3afc6a694fa930fb06f620a1c7908a84d22bc29ac70d6b533159168cdad201c73ee0d24bb7389f133b3f201
Malware Config
Signatures
-
suricata: ET MALWARE STRRAT CnC Checkin
suricata: ET MALWARE STRRAT CnC Checkin
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SLIP.jar java.exe -
Loads dropped DLL 2 IoCs
Processes:
java.exejava.exepid Process 1548 java.exe 888 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SLIP = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SLIP.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SLIP = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SLIP.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Drops file in Program Files directory 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Program Files\Java\jre7\PAYMENT SLIP.jar java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1868 WMIC.exe Token: SeSecurityPrivilege 1868 WMIC.exe Token: SeTakeOwnershipPrivilege 1868 WMIC.exe Token: SeLoadDriverPrivilege 1868 WMIC.exe Token: SeSystemProfilePrivilege 1868 WMIC.exe Token: SeSystemtimePrivilege 1868 WMIC.exe Token: SeProfSingleProcessPrivilege 1868 WMIC.exe Token: SeIncBasePriorityPrivilege 1868 WMIC.exe Token: SeCreatePagefilePrivilege 1868 WMIC.exe Token: SeBackupPrivilege 1868 WMIC.exe Token: SeRestorePrivilege 1868 WMIC.exe Token: SeShutdownPrivilege 1868 WMIC.exe Token: SeDebugPrivilege 1868 WMIC.exe Token: SeSystemEnvironmentPrivilege 1868 WMIC.exe Token: SeRemoteShutdownPrivilege 1868 WMIC.exe Token: SeUndockPrivilege 1868 WMIC.exe Token: SeManageVolumePrivilege 1868 WMIC.exe Token: 33 1868 WMIC.exe Token: 34 1868 WMIC.exe Token: 35 1868 WMIC.exe Token: SeIncreaseQuotaPrivilege 1868 WMIC.exe Token: SeSecurityPrivilege 1868 WMIC.exe Token: SeTakeOwnershipPrivilege 1868 WMIC.exe Token: SeLoadDriverPrivilege 1868 WMIC.exe Token: SeSystemProfilePrivilege 1868 WMIC.exe Token: SeSystemtimePrivilege 1868 WMIC.exe Token: SeProfSingleProcessPrivilege 1868 WMIC.exe Token: SeIncBasePriorityPrivilege 1868 WMIC.exe Token: SeCreatePagefilePrivilege 1868 WMIC.exe Token: SeBackupPrivilege 1868 WMIC.exe Token: SeRestorePrivilege 1868 WMIC.exe Token: SeShutdownPrivilege 1868 WMIC.exe Token: SeDebugPrivilege 1868 WMIC.exe Token: SeSystemEnvironmentPrivilege 1868 WMIC.exe Token: SeRemoteShutdownPrivilege 1868 WMIC.exe Token: SeUndockPrivilege 1868 WMIC.exe Token: SeManageVolumePrivilege 1868 WMIC.exe Token: 33 1868 WMIC.exe Token: 34 1868 WMIC.exe Token: 35 1868 WMIC.exe Token: SeIncreaseQuotaPrivilege 780 WMIC.exe Token: SeSecurityPrivilege 780 WMIC.exe Token: SeTakeOwnershipPrivilege 780 WMIC.exe Token: SeLoadDriverPrivilege 780 WMIC.exe Token: SeSystemProfilePrivilege 780 WMIC.exe Token: SeSystemtimePrivilege 780 WMIC.exe Token: SeProfSingleProcessPrivilege 780 WMIC.exe Token: SeIncBasePriorityPrivilege 780 WMIC.exe Token: SeCreatePagefilePrivilege 780 WMIC.exe Token: SeBackupPrivilege 780 WMIC.exe Token: SeRestorePrivilege 780 WMIC.exe Token: SeShutdownPrivilege 780 WMIC.exe Token: SeDebugPrivilege 780 WMIC.exe Token: SeSystemEnvironmentPrivilege 780 WMIC.exe Token: SeRemoteShutdownPrivilege 780 WMIC.exe Token: SeUndockPrivilege 780 WMIC.exe Token: SeManageVolumePrivilege 780 WMIC.exe Token: 33 780 WMIC.exe Token: 34 780 WMIC.exe Token: 35 780 WMIC.exe Token: SeIncreaseQuotaPrivilege 780 WMIC.exe Token: SeSecurityPrivilege 780 WMIC.exe Token: SeTakeOwnershipPrivilege 780 WMIC.exe Token: SeLoadDriverPrivilege 780 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
java.exejava.exejava.execmd.exejava.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1764 wrote to memory of 1844 1764 java.exe 28 PID 1764 wrote to memory of 1844 1764 java.exe 28 PID 1764 wrote to memory of 1844 1764 java.exe 28 PID 1844 wrote to memory of 1548 1844 java.exe 29 PID 1844 wrote to memory of 1548 1844 java.exe 29 PID 1844 wrote to memory of 1548 1844 java.exe 29 PID 1548 wrote to memory of 1312 1548 java.exe 32 PID 1548 wrote to memory of 1312 1548 java.exe 32 PID 1548 wrote to memory of 1312 1548 java.exe 32 PID 1548 wrote to memory of 888 1548 java.exe 33 PID 1548 wrote to memory of 888 1548 java.exe 33 PID 1548 wrote to memory of 888 1548 java.exe 33 PID 1312 wrote to memory of 1928 1312 cmd.exe 34 PID 1312 wrote to memory of 1928 1312 cmd.exe 34 PID 1312 wrote to memory of 1928 1312 cmd.exe 34 PID 888 wrote to memory of 1648 888 java.exe 35 PID 888 wrote to memory of 1648 888 java.exe 35 PID 888 wrote to memory of 1648 888 java.exe 35 PID 1648 wrote to memory of 1868 1648 cmd.exe 36 PID 1648 wrote to memory of 1868 1648 cmd.exe 36 PID 1648 wrote to memory of 1868 1648 cmd.exe 36 PID 888 wrote to memory of 268 888 java.exe 38 PID 888 wrote to memory of 268 888 java.exe 38 PID 888 wrote to memory of 268 888 java.exe 38 PID 268 wrote to memory of 780 268 cmd.exe 39 PID 268 wrote to memory of 780 268 cmd.exe 39 PID 268 wrote to memory of 780 268 cmd.exe 39 PID 888 wrote to memory of 1588 888 java.exe 40 PID 888 wrote to memory of 1588 888 java.exe 40 PID 888 wrote to memory of 1588 888 java.exe 40 PID 1588 wrote to memory of 1540 1588 cmd.exe 41 PID 1588 wrote to memory of 1540 1588 cmd.exe 41 PID 1588 wrote to memory of 1540 1588 cmd.exe 41 PID 888 wrote to memory of 1284 888 java.exe 42 PID 888 wrote to memory of 1284 888 java.exe 42 PID 888 wrote to memory of 1284 888 java.exe 42 PID 1284 wrote to memory of 832 1284 cmd.exe 43 PID 1284 wrote to memory of 832 1284 cmd.exe 43 PID 1284 wrote to memory of 832 1284 cmd.exe 43
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.jar"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\PAYMENT SLIP.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\PAYMENT SLIP.jar"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP.jar"4⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP.jar"5⤵
- Creates scheduled task(s)
PID:1928
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP.jar"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list6⤵PID:1540
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list6⤵PID:832
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
70ba18fc4b0a9904afad5f33870df249
SHA1ff4e7f67c62ede5dfd3513c9b6475ff2cbc1b019
SHA256ca9d7a7c040125eed02d41543978fc9b9f9f0d084f0d0a5c1a3f99a21e0f400b
SHA512061fba8446ed801e2daccc6d7ab911590b923941d3afc6a694fa930fb06f620a1c7908a84d22bc29ac70d6b533159168cdad201c73ee0d24bb7389f133b3f201
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2955169046-2371869340-1800780948-1000\83aa4cc77f591dfc2374580bbd95f6ba_db4d14ed-021a-404a-968d-cb66a4d24831
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
MD5
70ba18fc4b0a9904afad5f33870df249
SHA1ff4e7f67c62ede5dfd3513c9b6475ff2cbc1b019
SHA256ca9d7a7c040125eed02d41543978fc9b9f9f0d084f0d0a5c1a3f99a21e0f400b
SHA512061fba8446ed801e2daccc6d7ab911590b923941d3afc6a694fa930fb06f620a1c7908a84d22bc29ac70d6b533159168cdad201c73ee0d24bb7389f133b3f201
-
MD5
acfb5b5fd9ee10bf69497792fd469f85
SHA10e0845217c4907822403912ad6828d8e0b256208
SHA256b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa
-
MD5
2f4a99c2758e72ee2b59a73586a2322f
SHA1af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA25624d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494
-
MD5
b33387e15ab150a7bf560abdc73c3bec
SHA166b8075784131f578ef893fd7674273f709b9a4c
SHA2562eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA51225cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279
-
MD5
e1aa38a1e78a76a6de73efae136cdb3a
SHA1c463da71871f780b2e2e5dba115d43953b537daf
SHA2562ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d
-
MD5
70ba18fc4b0a9904afad5f33870df249
SHA1ff4e7f67c62ede5dfd3513c9b6475ff2cbc1b019
SHA256ca9d7a7c040125eed02d41543978fc9b9f9f0d084f0d0a5c1a3f99a21e0f400b
SHA512061fba8446ed801e2daccc6d7ab911590b923941d3afc6a694fa930fb06f620a1c7908a84d22bc29ac70d6b533159168cdad201c73ee0d24bb7389f133b3f201
-
MD5
acfb5b5fd9ee10bf69497792fd469f85
SHA10e0845217c4907822403912ad6828d8e0b256208
SHA256b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa
-
MD5
2f4a99c2758e72ee2b59a73586a2322f
SHA1af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA25624d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494
-
MD5
b33387e15ab150a7bf560abdc73c3bec
SHA166b8075784131f578ef893fd7674273f709b9a4c
SHA2562eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA51225cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279
-
MD5
e1aa38a1e78a76a6de73efae136cdb3a
SHA1c463da71871f780b2e2e5dba115d43953b537daf
SHA2562ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372