Malware Analysis Report

2024-12-07 20:41

Sample ID 230630-rf9qrsec9t
Target PaymentAdvicejarjarjar.jar
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212

Threat Level: Known bad

The file PaymentAdvicejarjarjar.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 14:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 14:09

Reported

2023-06-30 14:11

Platform

win7-20230621-en

Max time kernel

83s

Max time network

33s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjar.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

Network

N/A

Files

memory/1016-63-0x0000000000120000-0x0000000000121000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjar.jar

MD5 4761d770468b1b41eb0aa26c57e4e605
SHA1 d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512 4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar

MD5 4761d770468b1b41eb0aa26c57e4e605
SHA1 d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512 4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 14:09

Reported

2023-06-30 14:11

Platform

win10v2004-20230621-en

Max time kernel

149s

Max time network

146s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjar.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp

Files

memory/5072-143-0x0000000002390000-0x0000000002391000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PaymentAdvicejarjarjar.jar

MD5 4761d770468b1b41eb0aa26c57e4e605
SHA1 d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512 4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar

MD5 4761d770468b1b41eb0aa26c57e4e605
SHA1 d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512 4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 7f1484f271c0fd35737c9e72fd20f913
SHA1 386337ec01515dded67927e66a8486c630c49c5c
SHA256 eeab636c016040a19eb2dd05eb75a7326607a5503610568fa4c14b683586866d
SHA512 754e2a21829390e5fad842ff5348f62fafb6a9547397bb8a2909e590cf88723f15ac8abd61854486ed838b78201aec22638c0f48a1af34c2792095560f057da0

memory/5092-165-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/5092-166-0x0000000000AE0000-0x0000000000AE1000-memory.dmp