Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2023 14:32

General

  • Target

    PO06028jar.jar

  • Size

    70KB

  • MD5

    1421b13fcff1ed8b4e8ed6d0ec1ef4ec

  • SHA1

    7eb847e16c12dc9159e9f8a0b219926ddf9ec401

  • SHA256

    98519a10598b6816b5df829028aab2ccd19ddae46c75f25b25c7bafbe7eb8ce3

  • SHA512

    c91c39cb5eea625ba59b60dc0dca227d84da68b36ad4c79e4dfa39f24fb70349b09b24132abbbfccb1a97439a883ed8d7121fcf119f7f7be106c675a37615e41

  • SSDEEP

    1536:Mf9ewjOD9EgIKgngWmvpkPuH08DdgUFFVk1YSeY9UKihA4X9:CewlKdYPW0AvmYPYTihAo

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\PO06028jar.jar
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:416
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PO06028jar.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3492
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PO06028jar.jar"
        3⤵
        • Creates scheduled task(s)
        PID:324
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PO06028jar.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4140
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3380
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1848
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1608
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4120
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          4⤵
            PID:4388
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
            4⤵
              PID:2316

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PO06028jar.jar

        Filesize

        70KB

        MD5

        1421b13fcff1ed8b4e8ed6d0ec1ef4ec

        SHA1

        7eb847e16c12dc9159e9f8a0b219926ddf9ec401

        SHA256

        98519a10598b6816b5df829028aab2ccd19ddae46c75f25b25c7bafbe7eb8ce3

        SHA512

        c91c39cb5eea625ba59b60dc0dca227d84da68b36ad4c79e4dfa39f24fb70349b09b24132abbbfccb1a97439a883ed8d7121fcf119f7f7be106c675a37615e41

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        Filesize

        50B

        MD5

        4393959fec24417d7b85c9423fe8ba0b

        SHA1

        c8721a1548769313a58f3a1295d7bb4985c497b6

        SHA256

        d7d45026096bda9e2d8d4452c12904606c17be3f06632edd0ed6b891782e3a8d

        SHA512

        c7d6414e3dc36039e0baf30e21b8e0da856eff4123f903d0831ae350989bb81629d2b8ecaa3ae169ce94427a26440ecea43f212f8ac1d866a3e61d82d5fe17e5

      • C:\Users\Admin\AppData\Roaming\PO06028jar.jar

        Filesize

        70KB

        MD5

        1421b13fcff1ed8b4e8ed6d0ec1ef4ec

        SHA1

        7eb847e16c12dc9159e9f8a0b219926ddf9ec401

        SHA256

        98519a10598b6816b5df829028aab2ccd19ddae46c75f25b25c7bafbe7eb8ce3

        SHA512

        c91c39cb5eea625ba59b60dc0dca227d84da68b36ad4c79e4dfa39f24fb70349b09b24132abbbfccb1a97439a883ed8d7121fcf119f7f7be106c675a37615e41

      • memory/416-143-0x0000000002520000-0x0000000002521000-memory.dmp

        Filesize

        4KB

      • memory/3852-165-0x00000000025C0000-0x00000000025C1000-memory.dmp

        Filesize

        4KB

      • memory/3852-167-0x00000000025C0000-0x00000000025C1000-memory.dmp

        Filesize

        4KB