Analysis

  • max time kernel
    1799s
  • max time network
    1805s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    08/12/2021, 15:50

General

  • Target

    mrkbajwnyr.txt.jar

  • Size

    185KB

  • MD5

    4a769959e2ee2785d32ef2161f28cd8b

  • SHA1

    e31b455b90081313e3b7405db3efe1582fe39daa

  • SHA256

    496536d34981fc4155772fe136930ef13cf16116a4df18e6261dd084fce40b21

  • SHA512

    8ef798581834a365f8a7649572c8683e9294cb950917b9c1e9b6ae60bf48b2e4d0e3be312843e398868f31835f276df24f4c5c2b6fb07b654322a8d5351815ca

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\mrkbajwnyr.txt.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\mrkbajwnyr.txt.jar"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\system32\cmd.exe
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Windows\system32\schtasks.exe
          schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"
          4⤵
          • Creates scheduled task(s)
          PID:992
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1104
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:912
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1780
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:684
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
            5⤵
              PID:1216
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:268
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
              5⤵
                PID:1708
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {935A0B6A-90CF-41E6-851E-B96269E932AB} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:736
        • C:\Program Files\Java\jre7\bin\javaw.exe
          "C:\Program Files\Java\jre7\bin\javaw.exe" "C:\Users\Admin\AppData\Roaming\mrkbajwnyr.txt.jar"
          2⤵
            PID:1096

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/592-82-0x0000000000130000-0x0000000000131000-memory.dmp

                Filesize

                4KB

              • memory/592-80-0x0000000000130000-0x0000000000131000-memory.dmp

                Filesize

                4KB

              • memory/592-70-0x0000000002210000-0x0000000002480000-memory.dmp

                Filesize

                2.4MB

              • memory/592-87-0x0000000000130000-0x0000000000131000-memory.dmp

                Filesize

                4KB

              • memory/592-69-0x0000000000130000-0x0000000000131000-memory.dmp

                Filesize

                4KB

              • memory/776-55-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

                Filesize

                8KB

              • memory/776-62-0x0000000000320000-0x0000000000321000-memory.dmp

                Filesize

                4KB

              • memory/776-66-0x0000000000320000-0x0000000000321000-memory.dmp

                Filesize

                4KB

              • memory/776-57-0x0000000002100000-0x0000000002370000-memory.dmp

                Filesize

                2.4MB

              • memory/776-63-0x0000000000320000-0x0000000000321000-memory.dmp

                Filesize

                4KB

              • memory/776-58-0x0000000000320000-0x0000000000321000-memory.dmp

                Filesize

                4KB

              • memory/776-56-0x0000000002100000-0x0000000002370000-memory.dmp

                Filesize

                2.4MB

              • memory/776-59-0x0000000000320000-0x0000000000321000-memory.dmp

                Filesize

                4KB

              • memory/776-61-0x0000000000320000-0x0000000000321000-memory.dmp

                Filesize

                4KB

              • memory/776-60-0x0000000000320000-0x0000000000321000-memory.dmp

                Filesize

                4KB

              • memory/1096-148-0x0000000002170000-0x00000000023E0000-memory.dmp

                Filesize

                2.4MB

              • memory/1096-149-0x0000000000220000-0x0000000000221000-memory.dmp

                Filesize

                4KB

              • memory/1512-119-0x0000000000220000-0x0000000000221000-memory.dmp

                Filesize

                4KB

              • memory/1512-105-0x0000000000220000-0x0000000000221000-memory.dmp

                Filesize

                4KB

              • memory/1512-128-0x0000000000220000-0x0000000000221000-memory.dmp

                Filesize

                4KB

              • memory/1512-129-0x0000000000220000-0x0000000000221000-memory.dmp

                Filesize

                4KB

              • memory/1512-91-0x0000000002220000-0x0000000002490000-memory.dmp

                Filesize

                2.4MB

              • memory/1512-90-0x0000000000220000-0x0000000000221000-memory.dmp

                Filesize

                4KB