Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09/12/2021, 12:54

General

  • Target

    DOCUMENTS_SHIPPING_107865489 (2).jar

  • Size

    95KB

  • MD5

    d79532f750087749d27a51d2b6193c5f

  • SHA1

    5f4c9b790017fdde77432984b125baaf59ca3144

  • SHA256

    1571a4bf6d272dced62cf114cbc864994cd7d360097263b277a3ac50ac226d21

  • SHA512

    bd5f4c0b9a9455ba7b1848574be228c714323f6e3bf144898e3be602089707b5ea066e67c51c60ba062dd3bb6db2495b68627801ccafd8f7beea1a181411519b

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\DOCUMENTS_SHIPPING_107865489 (2).jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\DOCUMENTS_SHIPPING_107865489 (2).jar"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\system32\cmd.exe
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\DOCUMENTS_SHIPPING_107865489 (2).jar"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\system32\schtasks.exe
          schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\DOCUMENTS_SHIPPING_107865489 (2).jar"
          4⤵
          • Creates scheduled task(s)
          PID:1524
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\DOCUMENTS_SHIPPING_107865489 (2).jar"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1092
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1684
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1244
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
            5⤵
              PID:1728
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1764
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
              5⤵
                PID:304

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1600-118-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1600-111-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1600-112-0x0000000002390000-0x0000000002600000-memory.dmp

              Filesize

              2.4MB

            • memory/1848-63-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-55-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

              Filesize

              8KB

            • memory/1848-80-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-56-0x00000000023A0000-0x0000000002610000-memory.dmp

              Filesize

              2.4MB

            • memory/1848-77-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-86-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-61-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-59-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-58-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-57-0x00000000023A0000-0x0000000002610000-memory.dmp

              Filesize

              2.4MB

            • memory/1848-78-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-74-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-62-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-73-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1848-79-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/2020-101-0x0000000000230000-0x0000000000231000-memory.dmp

              Filesize

              4KB

            • memory/2020-91-0x0000000002170000-0x00000000023E0000-memory.dmp

              Filesize

              2.4MB

            • memory/2020-100-0x0000000000230000-0x0000000000231000-memory.dmp

              Filesize

              4KB

            • memory/2020-90-0x0000000000230000-0x0000000000231000-memory.dmp

              Filesize

              4KB

            • memory/2020-109-0x0000000000230000-0x0000000000231000-memory.dmp

              Filesize

              4KB