Analysis

  • max time kernel
    153s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2023 14:21

General

  • Target

    QUOTAZIONIOffertajar.jar

  • Size

    70KB

  • MD5

    1a4ac030a58da776cfe4a9c81e563bd4

  • SHA1

    3159dc0894baaf593e1365921cdbfd580a5885ae

  • SHA256

    49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

  • SHA512

    f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

  • SSDEEP

    1536:ETgNpqksfYxlEnBQ1taArWKnrw4S3gDhpK1s207Oc3au1r3bQnsYuPjRwnQHzOi+:vhDHE27nfS3gLK1s26aWr3bQnuLViS3Y

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONIOffertajar.jar
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\system32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"
        3⤵
        • Creates scheduled task(s)
        PID:1416
    • C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:604
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1484
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1952
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          4⤵
            PID:848
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
            4⤵
              PID:1560

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONIOffertajar.jar

        Filesize

        70KB

        MD5

        1a4ac030a58da776cfe4a9c81e563bd4

        SHA1

        3159dc0894baaf593e1365921cdbfd580a5885ae

        SHA256

        49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

        SHA512

        f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

      • C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar

        Filesize

        70KB

        MD5

        1a4ac030a58da776cfe4a9c81e563bd4

        SHA1

        3159dc0894baaf593e1365921cdbfd580a5885ae

        SHA256

        49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

        SHA512

        f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

      • memory/1920-80-0x0000000000330000-0x0000000000331000-memory.dmp

        Filesize

        4KB

      • memory/1920-82-0x0000000000330000-0x0000000000331000-memory.dmp

        Filesize

        4KB

      • memory/2012-63-0x0000000000420000-0x0000000000421000-memory.dmp

        Filesize

        4KB