Malware Analysis Report

2024-12-07 20:45

Sample ID 230627-rnkrlsee23
Target Payment0627jar.jar
SHA256 10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b

Threat Level: Known bad

The file Payment0627jar.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-27 14:20

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-27 14:20

Reported

2023-06-27 14:22

Platform

win10v2004-20230621-en

Max time kernel

133s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Payment0627jar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment0627jar.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment0627jar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment0627jar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment0627jar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment0627jar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Payment0627jar.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"

Network

Country Destination Domain Proto
US 192.229.221.95:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 105.104.123.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 20.42.65.90:443 tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp

Files

memory/1332-143-0x0000000002F10000-0x0000000002F11000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Payment0627jar.jar

MD5 0a257f1b297660ebf8f981550c5bfcfe
SHA1 7b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA256 10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512 789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

C:\Users\Admin\AppData\Roaming\Payment0627jar.jar

MD5 0a257f1b297660ebf8f981550c5bfcfe
SHA1 7b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA256 10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512 789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 e2fb17381d7c0d5848659f227e867890
SHA1 a4685f93552823205025cac3fabb888e3c414a4d
SHA256 03dbd3fb49bc1b11132891a254e0beaf32c672f70e077faf767e0eefea782595
SHA512 efd0d3b9bc285e68772a07fcd128699cdca56de444c074071e052aa1dec5872241f671e78435c0ae39f5dcf0397d1c69e2c0f9cc45740bbc0e6bcad82a474647

memory/632-163-0x00000000015B0000-0x00000000015B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-27 14:20

Reported

2023-06-27 14:22

Platform

win7-20230621-en

Max time kernel

146s

Max time network

149s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Payment0627jar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment0627jar.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment0627jar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment0627jar.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment0627jar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment0627jar.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1416 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1416 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1416 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2008 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2032 wrote to memory of 2008 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2032 wrote to memory of 2008 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1416 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1416 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1416 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Payment0627jar.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp

Files

memory/2032-63-0x0000000000120000-0x0000000000121000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Payment0627jar.jar

MD5 0a257f1b297660ebf8f981550c5bfcfe
SHA1 7b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA256 10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512 789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

C:\Users\Admin\AppData\Roaming\Payment0627jar.jar

MD5 0a257f1b297660ebf8f981550c5bfcfe
SHA1 7b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA256 10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512 789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130

memory/2008-80-0x0000000000130000-0x0000000000131000-memory.dmp