Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2023 14:21

General

  • Target

    QUOTAZIONIOffertajar.jar

  • Size

    70KB

  • MD5

    1a4ac030a58da776cfe4a9c81e563bd4

  • SHA1

    3159dc0894baaf593e1365921cdbfd580a5885ae

  • SHA256

    49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

  • SHA512

    f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

  • SSDEEP

    1536:ETgNpqksfYxlEnBQ1taArWKnrw4S3gDhpK1s207Oc3au1r3bQnsYuPjRwnQHzOi+:vhDHE27nfS3gLK1s26aWr3bQnuLViS3Y

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONIOffertajar.jar
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"
        3⤵
        • Creates scheduled task(s)
        PID:3588
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3776
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4780
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2220
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          4⤵
            PID:2196
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
            4⤵
              PID:4268

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\QUOTAZIONIOffertajar.jar

        Filesize

        70KB

        MD5

        1a4ac030a58da776cfe4a9c81e563bd4

        SHA1

        3159dc0894baaf593e1365921cdbfd580a5885ae

        SHA256

        49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

        SHA512

        f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        Filesize

        50B

        MD5

        89aefbc3d85ecb573ce79c224a33c35d

        SHA1

        64cb422e1941963cad61334d97e61e3515f426f9

        SHA256

        e5ec5feb5c11b538ba1472c5e5c17ebf07eac2b09214c0c296a9a605412b3a0c

        SHA512

        75a76837f0d8892fb667d5d8506fc9bb34a77aac2eb795315d277bd69bbbcddcb93ee3f375c70351ff2688ee6096c8e66819e7ebcb0ab252dc056af21807940e

      • C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar

        Filesize

        70KB

        MD5

        1a4ac030a58da776cfe4a9c81e563bd4

        SHA1

        3159dc0894baaf593e1365921cdbfd580a5885ae

        SHA256

        49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

        SHA512

        f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

      • memory/2472-164-0x0000000000940000-0x0000000000941000-memory.dmp

        Filesize

        4KB

      • memory/2472-165-0x0000000000940000-0x0000000000941000-memory.dmp

        Filesize

        4KB

      • memory/2472-170-0x0000000000940000-0x0000000000941000-memory.dmp

        Filesize

        4KB

      • memory/4364-144-0x0000000002770000-0x0000000002771000-memory.dmp

        Filesize

        4KB