Analysis Overview
SHA256
ad13f2f5590aa12b204c3713520f605595ab04f468577424effd742251a35712
Threat Level: Known bad
The file SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar was found to be: Known bad.
Malicious Activity Summary
STRRAT
suricata: ET MALWARE STRRAT Initial HTTP Activity
Drops startup file
Loads dropped DLL
Adds Run key to start application
Drops file in Program Files directory
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-18 08:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-18 08:50
Reported
2021-12-18 08:52
Platform
win7-en-20211208
Max time kernel
149s
Max time network
149s
Command Line
Signatures
STRRAT
suricata: ET MALWARE STRRAT Initial HTTP Activity
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar | C:\Program Files\Java\jre7\bin\java.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre7\bin\java.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar\"" | C:\Program Files\Java\jre7\bin\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar\"" | C:\Program Files\Java\jre7\bin\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 140.82.113.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | str-master.pw | udp |
| DE | 142.93.110.250:80 | str-master.pw | tcp |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp | |
| CA | 198.27.77.242:1788 | tcp | |
| CA | 198.27.77.242:1776 | tcp |
Files
memory/1752-55-0x000007FEFC261000-0x000007FEFC263000-memory.dmp
memory/1752-56-0x00000000020B0000-0x0000000002320000-memory.dmp
memory/1752-57-0x00000000020B0000-0x0000000002320000-memory.dmp
memory/1752-58-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1752-59-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1752-62-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1752-63-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1752-64-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1752-65-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1752-66-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1880-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar
| MD5 | 25d7be8c2f534dca289f50a193a5418d |
| SHA1 | 020aa3a275641eb88e07df1ed222f14944f80785 |
| SHA256 | ad13f2f5590aa12b204c3713520f605595ab04f468577424effd742251a35712 |
| SHA512 | 9ccd9bf4756aa464fd9eb516448ad9f650c38ebed61f0a0eb3979b66c4f8e57f84bbc0b62c437fd56a7fc5e7c798f42a6da10f4edabf2b52e51bed970f35845e |
memory/1880-74-0x00000000022A0000-0x0000000002510000-memory.dmp
memory/1880-75-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\lib\system-hook-3.5.jar
| MD5 | e1aa38a1e78a76a6de73efae136cdb3a |
| SHA1 | c463da71871f780b2e2e5dba115d43953b537daf |
| SHA256 | 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609 |
| SHA512 | fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d |
C:\Users\Admin\lib\jna-5.5.0.jar
| MD5 | acfb5b5fd9ee10bf69497792fd469f85 |
| SHA1 | 0e0845217c4907822403912ad6828d8e0b256208 |
| SHA256 | b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e |
| SHA512 | e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa |
C:\Users\Admin\lib\jna-platform-5.5.0.jar
| MD5 | 2f4a99c2758e72ee2b59a73586a2322f |
| SHA1 | af38e7c4d0fc73c23ecd785443705bfdee5b90bf |
| SHA256 | 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5 |
| SHA512 | b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2329389628-4064185017-3901522362-1000\83aa4cc77f591dfc2374580bbd95f6ba_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | c8366ae350e7019aefc9d1e6e6a498c6 |
| SHA1 | 5731d8a3e6568a5f2dfbbc87e3db9637df280b61 |
| SHA256 | 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238 |
| SHA512 | 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd |
\Users\Admin\AppData\Local\Temp\jna-63116079\jna296939601407622442.dll
| MD5 | e02979ecd43bcc9061eb2b494ab5af50 |
| SHA1 | 3122ac0e751660f646c73b10c4f79685aa65c545 |
| SHA256 | a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a |
| SHA512 | 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372 |
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
| MD5 | b33387e15ab150a7bf560abdc73c3bec |
| SHA1 | 66b8075784131f578ef893fd7674273f709b9a4c |
| SHA256 | 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491 |
| SHA512 | 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279 |
memory/1716-83-0x0000000000000000-mapping.dmp
memory/1648-84-0x0000000000000000-mapping.dmp
memory/848-88-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar
| MD5 | 25d7be8c2f534dca289f50a193a5418d |
| SHA1 | 020aa3a275641eb88e07df1ed222f14944f80785 |
| SHA256 | ad13f2f5590aa12b204c3713520f605595ab04f468577424effd742251a35712 |
| SHA512 | 9ccd9bf4756aa464fd9eb516448ad9f650c38ebed61f0a0eb3979b66c4f8e57f84bbc0b62c437fd56a7fc5e7c798f42a6da10f4edabf2b52e51bed970f35845e |
memory/1880-87-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1880-94-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1648-97-0x00000000021E0000-0x0000000002450000-memory.dmp
memory/1648-96-0x0000000000120000-0x0000000000121000-memory.dmp
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar
| MD5 | e1aa38a1e78a76a6de73efae136cdb3a |
| SHA1 | c463da71871f780b2e2e5dba115d43953b537daf |
| SHA256 | 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609 |
| SHA512 | fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d |
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna296939601407622442.dll
| MD5 | e02979ecd43bcc9061eb2b494ab5af50 |
| SHA1 | 3122ac0e751660f646c73b10c4f79685aa65c545 |
| SHA256 | a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a |
| SHA512 | 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372 |
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar
| MD5 | 2f4a99c2758e72ee2b59a73586a2322f |
| SHA1 | af38e7c4d0fc73c23ecd785443705bfdee5b90bf |
| SHA256 | 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5 |
| SHA512 | b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494 |
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar
| MD5 | acfb5b5fd9ee10bf69497792fd469f85 |
| SHA1 | 0e0845217c4907822403912ad6828d8e0b256208 |
| SHA256 | b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e |
| SHA512 | e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa |
\Users\Admin\AppData\Local\Temp\jna-63116079\jna7038471230880191132.dll
| MD5 | e02979ecd43bcc9061eb2b494ab5af50 |
| SHA1 | 3122ac0e751660f646c73b10c4f79685aa65c545 |
| SHA256 | a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a |
| SHA512 | 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372 |
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar
| MD5 | b33387e15ab150a7bf560abdc73c3bec |
| SHA1 | 66b8075784131f578ef893fd7674273f709b9a4c |
| SHA256 | 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491 |
| SHA512 | 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279 |
memory/1648-104-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1648-134-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1648-135-0x0000000000120000-0x0000000000121000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-18 08:50
Reported
2021-12-18 08:52
Platform
win10-en-20211208
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\SHIPMENT_DOCUMENTS_BL_INV_PKLISTS XLS.jar"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/3356-117-0x0000000002610000-0x0000000002880000-memory.dmp
memory/3356-118-0x0000000002610000-0x0000000002880000-memory.dmp
memory/3356-119-0x0000000000750000-0x0000000000751000-memory.dmp
memory/3356-121-0x0000000000750000-0x0000000000751000-memory.dmp
memory/3356-123-0x0000000002890000-0x00000000028A0000-memory.dmp
memory/3356-122-0x0000000002880000-0x0000000002890000-memory.dmp
memory/3356-124-0x00000000028A0000-0x00000000028B0000-memory.dmp
memory/3356-125-0x00000000028B0000-0x00000000028C0000-memory.dmp