Malware Analysis Report

2024-12-07 20:45

Sample ID 230627-hj7wxaec3w
Target QUOTAZIONI-Offerta.jar
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

Threat Level: Known bad

The file QUOTAZIONI-Offerta.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-27 06:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-27 06:47

Reported

2023-06-27 06:49

Platform

win7-20230621-en

Max time kernel

150s

Max time network

153s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/1416-63-0x0000000000430000-0x0000000000431000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar

MD5 1a4ac030a58da776cfe4a9c81e563bd4
SHA1 3159dc0894baaf593e1365921cdbfd580a5885ae
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512 f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar

MD5 1a4ac030a58da776cfe4a9c81e563bd4
SHA1 3159dc0894baaf593e1365921cdbfd580a5885ae
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512 f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

memory/872-81-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-27 06:47

Reported

2023-06-27 06:49

Platform

win10v2004-20230621-en

Max time kernel

149s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.89.179.10:443 tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/3224-143-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\QUOTAZIONI-Offerta.jar

MD5 1a4ac030a58da776cfe4a9c81e563bd4
SHA1 3159dc0894baaf593e1365921cdbfd580a5885ae
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512 f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

memory/3224-151-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar

MD5 1a4ac030a58da776cfe4a9c81e563bd4
SHA1 3159dc0894baaf593e1365921cdbfd580a5885ae
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512 f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 b84781050ec25d24feea2366dde06fd0
SHA1 00d5741b102fbc4b8fc479c6a76ff71659858bb0
SHA256 ef9157d086ffa50096b13a042061a165b3e7e5e2603d7fc9687b73159b8ab2a7
SHA512 96bce048a07aed2940057f01af27430fafb1f7bb75b6b164c120885e737361e9e868663da1a76b6e5b01f70af50a935de0cb7bd2faba3308e3c7ce3f427afb82

memory/3084-164-0x0000000001660000-0x0000000001661000-memory.dmp