General

  • Target

    shipment docs.zip

  • Size

    198KB

  • Sample

    230328-kmbc8abf8s

  • MD5

    542624cbb918d3e68332605b3875463d

  • SHA1

    3ce54bac9daa0a657f41ba63978cc29dd0f5f63f

  • SHA256

    0c2907fab86a121782be17d2bd2af6a1e02a9d8b276f928eb740ca8c38b09e7a

  • SHA512

    659e982ff88dad05e5d8eaa4b83556d9e254d195e89f843ce3b1f4b612d7d1e6e78c8c78ecce33e20be74eb8b42c22a7fe58760ce3928c9e99a262bbc88cf5b4

  • SSDEEP

    6144:7H4GyyPoGaOiEsSgP2Bsw+Skw9ylUg+cwwu51lKL:zT9oGa/EsHX/SkayBZwwmuL

Malware Config

Targets

    • Target

      shipment docs.jar

    • Size

      205KB

    • MD5

      25cf0ecdc304d46909899c5a9b243568

    • SHA1

      99465760f952aab0bf4c82b1951d55a73d890811

    • SHA256

      2462ed49206ac07461831cbbf0217f4cacf5ef58a0d5870e2852f679bdec94d9

    • SHA512

      446d5f1e390114cec9ab9b842c0213fc768f8cf79a556db0dd746e8cd8bd53d3d32517d7fa52939f9c63bf49a79ac2d235e16a3f9f61f6d3802c6cde114cfefb

    • SSDEEP

      6144:J7A2/A8N7hFfAAi6JoWo74fpaNJ+nl8J0b:iwVXfLfoWo70wN2X

    • STRRAT

      STRRAT is a remote access tool than can steal credentials and log keystrokes.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Tasks