Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    18/12/2021, 08:50

General

  • Target

    SHIPPING DOCUMENTS_00298761 PDF.jar

  • Size

    95KB

  • MD5

    94c7b2d865bde2640f25675a1c4f6505

  • SHA1

    9d535b02ae1babcf0a0f15c2925b4b8a0ba02ba9

  • SHA256

    dd3b94cbb244bf2e3ee0154ad78e2d352af3fd95a976abe5f5f3f2d4d630a873

  • SHA512

    36250bb4633e68d08d62c452a73ace0255705fc4c2a2b7e1252a69033293e4b58028df7bde4191ecccfe33651fff8c79d8ce833b75cfb1bbf7180b68f6f590fe

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS_00298761 PDF.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\SHIPPING DOCUMENTS_00298761 PDF.jar"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\system32\cmd.exe
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SHIPPING DOCUMENTS_00298761 PDF.jar"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\schtasks.exe
          schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SHIPPING DOCUMENTS_00298761 PDF.jar"
          4⤵
          • Creates scheduled task(s)
          PID:1736
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\SHIPPING DOCUMENTS_00298761 PDF.jar"
        3⤵
        • Loads dropped DLL
        PID:1892

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1648-75-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-77-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-80-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-81-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-84-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-56-0x0000000002280000-0x00000000024F0000-memory.dmp

          Filesize

          2.4MB

        • memory/1648-78-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-57-0x0000000002280000-0x00000000024F0000-memory.dmp

          Filesize

          2.4MB

        • memory/1648-79-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-64-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-55-0x000007FEFB791000-0x000007FEFB793000-memory.dmp

          Filesize

          8KB

        • memory/1648-73-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-72-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-71-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-66-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-62-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-58-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1648-59-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1824-89-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1824-106-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1824-101-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1824-100-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1824-88-0x0000000002100000-0x0000000002370000-memory.dmp

          Filesize

          2.4MB

        • memory/1892-110-0x00000000020B0000-0x0000000002320000-memory.dmp

          Filesize

          2.4MB

        • memory/1892-109-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1892-129-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB

        • memory/1892-138-0x0000000001C50000-0x0000000001C51000-memory.dmp

          Filesize

          4KB