Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2023 14:20

General

  • Target

    Payment0627jar.jar

  • Size

    70KB

  • MD5

    0a257f1b297660ebf8f981550c5bfcfe

  • SHA1

    7b65e7feb8dde2b10c2ba4978df6951cd2c40225

  • SHA256

    10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b

  • SHA512

    789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

  • SSDEEP

    768:sfZEarPi5ZQ7IT1yhV9JO8BUIm5UljMSfUZ0vTHFjpnfGu6n5rbEaH33kH/:P0Iq77hVc5ojMPZYlj9GPn5d33e/

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Payment0627jar.jar
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\system32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"
        3⤵
        • Creates scheduled task(s)
        PID:904
    • C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"
      2⤵
        PID:2008

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Payment0627jar.jar

      Filesize

      70KB

      MD5

      0a257f1b297660ebf8f981550c5bfcfe

      SHA1

      7b65e7feb8dde2b10c2ba4978df6951cd2c40225

      SHA256

      10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b

      SHA512

      789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

    • C:\Users\Admin\AppData\Roaming\Payment0627jar.jar

      Filesize

      70KB

      MD5

      0a257f1b297660ebf8f981550c5bfcfe

      SHA1

      7b65e7feb8dde2b10c2ba4978df6951cd2c40225

      SHA256

      10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b

      SHA512

      789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

    • memory/2008-80-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

    • memory/2032-63-0x0000000000120000-0x0000000000121000-memory.dmp

      Filesize

      4KB