Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2023 10:36

General

  • Target

    Payment 06-27.jar

  • Size

    70KB

  • MD5

    0a257f1b297660ebf8f981550c5bfcfe

  • SHA1

    7b65e7feb8dde2b10c2ba4978df6951cd2c40225

  • SHA256

    10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b

  • SHA512

    789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

  • SSDEEP

    768:sfZEarPi5ZQ7IT1yhV9JO8BUIm5UljMSfUZ0vTHFjpnfGu6n5rbEaH33kH/:P0Iq77hVc5ojMPZYlj9GPn5d33e/

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\Payment 06-27.jar"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"
        3⤵
        • Creates scheduled task(s)
        PID:232
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2788
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:784
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1888
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          4⤵
            PID:3136
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4228
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
            4⤵
              PID:2456

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Payment 06-27.jar

        Filesize

        70KB

        MD5

        0a257f1b297660ebf8f981550c5bfcfe

        SHA1

        7b65e7feb8dde2b10c2ba4978df6951cd2c40225

        SHA256

        10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b

        SHA512

        789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        Filesize

        50B

        MD5

        1472160094d511a400aa00b6a259acd1

        SHA1

        dd8adf4b67e9fde7fac75e73dbcdd468973db8d0

        SHA256

        935e01cdee3579189122544451892d45a89a248eb3936818cef223822d17a342

        SHA512

        ee1ae7f186a225cd32b5fdb04bfbe58d91bcfa58f3b716984086886a2c5bfb6549b9fb524ee82520b05b5bb394f3c54d3ac8730cade303978a254330b5198171

      • C:\Users\Admin\AppData\Roaming\Payment 06-27.jar

        Filesize

        70KB

        MD5

        0a257f1b297660ebf8f981550c5bfcfe

        SHA1

        7b65e7feb8dde2b10c2ba4978df6951cd2c40225

        SHA256

        10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b

        SHA512

        789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

      • memory/396-143-0x0000000000F40000-0x0000000000F41000-memory.dmp

        Filesize

        4KB

      • memory/2948-162-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

        Filesize

        4KB

      • memory/2948-167-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

        Filesize

        4KB