Malware Analysis Report

2024-12-07 20:42

Sample ID 230630-q82eeseb9v
Target PaymentAdvicejarjarjar.jar
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212

Threat Level: Known bad

The file PaymentAdvicejarjarjar.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 13:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 13:56

Reported

2023-06-30 13:59

Platform

win7-20230621-en

Max time kernel

139s

Max time network

154s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjar.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp

Files

memory/1876-63-0x0000000000120000-0x0000000000121000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjar.jar

MD5 4761d770468b1b41eb0aa26c57e4e605
SHA1 d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512 4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar

MD5 4761d770468b1b41eb0aa26c57e4e605
SHA1 d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512 4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

memory/752-80-0x00000000000B0000-0x00000000000B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 13:56

Reported

2023-06-30 13:59

Platform

win10v2004-20230621-en

Max time kernel

133s

Max time network

153s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjar.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 20.189.173.2:443 tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
NL 178.79.208.1:80 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp

Files

memory/2712-143-0x0000000000790000-0x0000000000791000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PaymentAdvicejarjarjar.jar

MD5 4761d770468b1b41eb0aa26c57e4e605
SHA1 d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512 4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar

MD5 4761d770468b1b41eb0aa26c57e4e605
SHA1 d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512 4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 abad1cc2ad6bc17b455a5e57f8f70847
SHA1 d31feaa429c6fe6043f90a9d9d9f514ae31252ad
SHA256 b5c1d616452de2d034e6f5534925a1e89d83b37d59045fa482d26584e40485dd
SHA512 b367fc2fe872b39c0d1a7c069992d3670a6609bfc9c047df6182f983c2dcc2183bc1027eac3b08648287ce5f3dbd1c1fcb40fbae10ee92de0e4c64a2571f461a

memory/4132-166-0x0000000000FD0000-0x0000000000FD1000-memory.dmp