Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    07/12/2021, 15:33

General

  • Target

    DOCUMENTS FOR SHIPMENTS PDF XLS.jar

  • Size

    284KB

  • MD5

    651a47b5e2e3638430e6148e79a7e23b

  • SHA1

    c8aaea1eaace67c045413c445d17c71af3e8c0fa

  • SHA256

    bb3be9616c4b23e2f5cda17b56b8656a5d71f643fdf545056c97a242b69a6115

  • SHA512

    3f680a9e80eff306ad4386991b33fe1d171eec0d8c1ad3f1e8c4d9322275f049befa0ada6cb53e8f01cda3809bb29e454cdade59c22ae20cfc53add056ff2324

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\DOCUMENTS FOR SHIPMENTS PDF XLS.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\DOCUMENTS FOR SHIPMENTS PDF XLS.jar"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\system32\cmd.exe
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\DOCUMENTS FOR SHIPMENTS PDF XLS.jar"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\system32\schtasks.exe
          schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\DOCUMENTS FOR SHIPMENTS PDF XLS.jar"
          4⤵
          • Creates scheduled task(s)
          PID:1596
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\DOCUMENTS FOR SHIPMENTS PDF XLS.jar"
        3⤵
        • Loads dropped DLL
        PID:1996

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1140-72-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-75-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-102-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-101-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-100-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-55-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

          Filesize

          8KB

        • memory/1140-76-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-105-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-73-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-71-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-60-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-59-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-58-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

        • memory/1140-57-0x00000000021E0000-0x0000000002450000-memory.dmp

          Filesize

          2.4MB

        • memory/1140-56-0x00000000021E0000-0x0000000002450000-memory.dmp

          Filesize

          2.4MB

        • memory/1272-119-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/1272-128-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/1272-131-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/1272-118-0x00000000021D0000-0x0000000002440000-memory.dmp

          Filesize

          2.4MB

        • memory/1996-139-0x00000000022F0000-0x0000000002560000-memory.dmp

          Filesize

          2.4MB