Analysis Overview
SHA256
1144ef0b85c23b61c1258d07cb3778500f071b491cd7b33f1675221983d44e88
Threat Level: Known bad
The file QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar was found to be: Known bad.
Malicious Activity Summary
STRRAT
Drops startup file
Loads dropped DLL
Adds Run key to start application
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-27 06:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-27 06:48
Reported
2023-06-27 06:50
Platform
win7-20230621-en
Max time kernel
150s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 140.82.114.4:443 | github.com | tcp |
Files
memory/2012-63-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-70-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-73-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-75-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-78-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-81-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-90-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-91-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-94-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-103-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-104-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-105-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2012-110-0x0000000000120000-0x0000000000121000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-27 06:48
Reported
2023-06-27 06:50
Platform
win10v2004-20230621-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTATION OFFER REQUEST 1034783_pdf_pdf = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar\"" | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTATION OFFER REQUEST 1034783_pdf_pdf = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar\"" | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1284 wrote to memory of 3968 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 1284 wrote to memory of 3968 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 3968 wrote to memory of 4468 | N/A | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3968 wrote to memory of 4468 | N/A | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3968 wrote to memory of 4068 | N/A | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 3968 wrote to memory of 4068 | N/A | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 4468 wrote to memory of 392 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 4468 wrote to memory of 392 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar"
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.125.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 140.82.113.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 209.192.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| US | 8.8.8.8:53 | igw.myfirewall.org | udp |
| US | 8.8.8.8:53 | igw.myfirewall.org | udp |
| US | 79.110.49.9:5861 | igw.myfirewall.org | tcp |
| US | 79.110.49.9:5861 | igw.myfirewall.org | tcp |
Files
memory/1284-152-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-162-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-174-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-175-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-180-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-192-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-193-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-196-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-197-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1284-200-0x0000000000730000-0x0000000000731000-memory.dmp
C:\Users\Admin\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar
| MD5 | 42a84baaf9025e866598df4bc433edd6 |
| SHA1 | c37488ccc7c7689a139b7975b68f81e159e3aeda |
| SHA256 | 1144ef0b85c23b61c1258d07cb3778500f071b491cd7b33f1675221983d44e88 |
| SHA512 | 5a049a0ed23786b831e62f7026893738811e2741117d815c0a63599c89b570c28b108cc9b37ff331656a9bc453d6fb638f12cd031089f5b662cd8d222ee6f586 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 5fd9e288f68830b772b7c3644bb4f74b |
| SHA1 | e13f2e2f4503734ab9de0bb6364bfa9af15cefa6 |
| SHA256 | dcedf657579d1d30df8a4f4f902c601aaceb2c390d85dda3e6f57bad3c7034dc |
| SHA512 | 2eb7cd9179cf297346e3fa6062088e82c52e9176069973efec261bc0cb9af227163ebd638b60a81c5de5f8da162167fcf4726474674093cf28c4c1bd84a0c302 |
C:\Users\Admin\lib\system-hook-3.5.jar
| MD5 | e1aa38a1e78a76a6de73efae136cdb3a |
| SHA1 | c463da71871f780b2e2e5dba115d43953b537daf |
| SHA256 | 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609 |
| SHA512 | fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d |
C:\Users\Admin\lib\jna-5.5.0.jar
| MD5 | acfb5b5fd9ee10bf69497792fd469f85 |
| SHA1 | 0e0845217c4907822403912ad6828d8e0b256208 |
| SHA256 | b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e |
| SHA512 | e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa |
C:\Users\Admin\lib\jna-platform-5.5.0.jar
| MD5 | 2f4a99c2758e72ee2b59a73586a2322f |
| SHA1 | af38e7c4d0fc73c23ecd785443705bfdee5b90bf |
| SHA256 | 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5 |
| SHA512 | b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494 |
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
| MD5 | b33387e15ab150a7bf560abdc73c3bec |
| SHA1 | 66b8075784131f578ef893fd7674273f709b9a4c |
| SHA256 | 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491 |
| SHA512 | 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279 |
memory/3968-217-0x0000000000B50000-0x0000000000B51000-memory.dmp
C:\Users\Admin\AppData\Roaming\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar
| MD5 | 42a84baaf9025e866598df4bc433edd6 |
| SHA1 | c37488ccc7c7689a139b7975b68f81e159e3aeda |
| SHA256 | 1144ef0b85c23b61c1258d07cb3778500f071b491cd7b33f1675221983d44e88 |
| SHA512 | 5a049a0ed23786b831e62f7026893738811e2741117d815c0a63599c89b570c28b108cc9b37ff331656a9bc453d6fb638f12cd031089f5b662cd8d222ee6f586 |
memory/3968-230-0x0000000000B50000-0x0000000000B51000-memory.dmp
C:\Users\Admin\AppData\Roaming\QUOTATION OFFER REQUEST 1034783_pdf_pdf.jar
| MD5 | 42a84baaf9025e866598df4bc433edd6 |
| SHA1 | c37488ccc7c7689a139b7975b68f81e159e3aeda |
| SHA256 | 1144ef0b85c23b61c1258d07cb3778500f071b491cd7b33f1675221983d44e88 |
| SHA512 | 5a049a0ed23786b831e62f7026893738811e2741117d815c0a63599c89b570c28b108cc9b37ff331656a9bc453d6fb638f12cd031089f5b662cd8d222ee6f586 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 8edbf7fe4607bf457be0093347f78674 |
| SHA1 | a05e917dd48d1d55c728aad57a7b788ae26e2b39 |
| SHA256 | 04f43e5dc1f9cdd96982ff063e2713451bec088fbf72c9160538a21251121435 |
| SHA512 | 1e8adf2a78a145759c119b61a13982fcc07e94de5a8b6ce8cbcbe5af368295ed007d1a7e5103dde83fadce6050afdb58b2db366f51905b802d830ec7e9abc1ce |
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar
| MD5 | acfb5b5fd9ee10bf69497792fd469f85 |
| SHA1 | 0e0845217c4907822403912ad6828d8e0b256208 |
| SHA256 | b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e |
| SHA512 | e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa |
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar
| MD5 | b33387e15ab150a7bf560abdc73c3bec |
| SHA1 | 66b8075784131f578ef893fd7674273f709b9a4c |
| SHA256 | 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491 |
| SHA512 | 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279 |
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar
| MD5 | 2f4a99c2758e72ee2b59a73586a2322f |
| SHA1 | af38e7c4d0fc73c23ecd785443705bfdee5b90bf |
| SHA256 | 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5 |
| SHA512 | b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494 |
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar
| MD5 | e1aa38a1e78a76a6de73efae136cdb3a |
| SHA1 | c463da71871f780b2e2e5dba115d43953b537daf |
| SHA256 | 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609 |
| SHA512 | fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d |
memory/4068-247-0x00000000017D0000-0x00000000017D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-508929744-1894537824-211734425-1000\83aa4cc77f591dfc2374580bbd95f6ba_3db77c8d-8b44-4cdd-80bd-b67b97edf7a0
| MD5 | c8366ae350e7019aefc9d1e6e6a498c6 |
| SHA1 | 5731d8a3e6568a5f2dfbbc87e3db9637df280b61 |
| SHA256 | 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238 |
| SHA512 | 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd |
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5110569919590843834.dll
| MD5 | e02979ecd43bcc9061eb2b494ab5af50 |
| SHA1 | 3122ac0e751660f646c73b10c4f79685aa65c545 |
| SHA256 | a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a |
| SHA512 | 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372 |