Analysis Overview
SHA256
49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
Threat Level: Known bad
The file QUOTAZIONI-Offerta.jar was found to be: Known bad.
Malicious Activity Summary
STRRAT
Drops startup file
Adds Run key to start application
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-27 06:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-27 06:47
Reported
2023-06-27 06:49
Platform
win7-20230621-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" | C:\Windows\system32\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1416 wrote to memory of 1900 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 1416 wrote to memory of 1900 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 1416 wrote to memory of 1900 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 1416 wrote to memory of 872 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 1416 wrote to memory of 872 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 1416 wrote to memory of 872 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 1900 wrote to memory of 688 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1900 wrote to memory of 688 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1900 wrote to memory of 688 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
Files
memory/1416-63-0x0000000000430000-0x0000000000431000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar
| MD5 | 1a4ac030a58da776cfe4a9c81e563bd4 |
| SHA1 | 3159dc0894baaf593e1365921cdbfd580a5885ae |
| SHA256 | 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680 |
| SHA512 | f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520 |
C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar
| MD5 | 1a4ac030a58da776cfe4a9c81e563bd4 |
| SHA1 | 3159dc0894baaf593e1365921cdbfd580a5885ae |
| SHA256 | 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680 |
| SHA512 | f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520 |
memory/872-81-0x00000000001B0000-0x00000000001B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-27 06:47
Reported
2023-06-27 06:49
Platform
win10v2004-20230621-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3224 wrote to memory of 3676 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3224 wrote to memory of 3676 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3224 wrote to memory of 3084 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 3224 wrote to memory of 3084 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 3676 wrote to memory of 1208 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3676 wrote to memory of 1208 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.89.179.10:443 | tcp | |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| RU | 194.147.140.241:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
Files
memory/3224-143-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\QUOTAZIONI-Offerta.jar
| MD5 | 1a4ac030a58da776cfe4a9c81e563bd4 |
| SHA1 | 3159dc0894baaf593e1365921cdbfd580a5885ae |
| SHA256 | 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680 |
| SHA512 | f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520 |
memory/3224-151-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar
| MD5 | 1a4ac030a58da776cfe4a9c81e563bd4 |
| SHA1 | 3159dc0894baaf593e1365921cdbfd580a5885ae |
| SHA256 | 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680 |
| SHA512 | f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | b84781050ec25d24feea2366dde06fd0 |
| SHA1 | 00d5741b102fbc4b8fc479c6a76ff71659858bb0 |
| SHA256 | ef9157d086ffa50096b13a042061a165b3e7e5e2603d7fc9687b73159b8ab2a7 |
| SHA512 | 96bce048a07aed2940057f01af27430fafb1f7bb75b6b164c120885e737361e9e868663da1a76b6e5b01f70af50a935de0cb7bd2faba3308e3c7ce3f427afb82 |
memory/3084-164-0x0000000001660000-0x0000000001661000-memory.dmp