Malware Analysis Report

2024-12-07 20:41

Sample ID 230704-n8lb4acd35
Target nPedido-de-cotizacion.jar
SHA256 087a4ea357c6298a1f9c86740171113d0aeacd8b6a0abe0d9652dff80accf432
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

087a4ea357c6298a1f9c86740171113d0aeacd8b6a0abe0d9652dff80accf432

Threat Level: Known bad

The file nPedido-de-cotizacion.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-04 12:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-04 12:04

Reported

2023-07-04 12:06

Platform

win7-20230703-en

Max time kernel

158s

Max time network

164s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\nPedido-de-cotizacion.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nPedido-de-cotizacion.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Windows\CurrentVersion\Run\nPedido-de-cotizacion = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\nPedido-de-cotizacion.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nPedido-de-cotizacion = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\nPedido-de-cotizacion.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1676 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1676 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1676 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 2164 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2308 wrote to memory of 2164 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2308 wrote to memory of 2164 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1676 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1676 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1676 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\nPedido-de-cotizacion.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\nPedido-de-cotizacion.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\nPedido-de-cotizacion.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\nPedido-de-cotizacion.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/2308-63-0x0000000000220000-0x0000000000221000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\nPedido-de-cotizacion.jar

MD5 f320885909e68bd534fb190dd36b8d17
SHA1 3e1996517744351c580728a8ff9ca18bd9bc579c
SHA256 087a4ea357c6298a1f9c86740171113d0aeacd8b6a0abe0d9652dff80accf432
SHA512 8bd32377e904b6e82ccfcbe4e16657035457271bf120703fc4b1e55979f8ee476b8f7d10f8603d9d5f4deecd2eacb79af9e67e5e06b7ae40de1beddf07129ee3

C:\Users\Admin\AppData\Roaming\nPedido-de-cotizacion.jar

MD5 f320885909e68bd534fb190dd36b8d17
SHA1 3e1996517744351c580728a8ff9ca18bd9bc579c
SHA256 087a4ea357c6298a1f9c86740171113d0aeacd8b6a0abe0d9652dff80accf432
SHA512 8bd32377e904b6e82ccfcbe4e16657035457271bf120703fc4b1e55979f8ee476b8f7d10f8603d9d5f4deecd2eacb79af9e67e5e06b7ae40de1beddf07129ee3

memory/2164-80-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-04 12:04

Reported

2023-07-04 12:06

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

155s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\nPedido-de-cotizacion.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nPedido-de-cotizacion.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nPedido-de-cotizacion = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\nPedido-de-cotizacion.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nPedido-de-cotizacion = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\nPedido-de-cotizacion.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\nPedido-de-cotizacion.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\nPedido-de-cotizacion.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\nPedido-de-cotizacion.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\nPedido-de-cotizacion.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/3916-143-0x0000000002A40000-0x0000000002A41000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\nPedido-de-cotizacion.jar

MD5 f320885909e68bd534fb190dd36b8d17
SHA1 3e1996517744351c580728a8ff9ca18bd9bc579c
SHA256 087a4ea357c6298a1f9c86740171113d0aeacd8b6a0abe0d9652dff80accf432
SHA512 8bd32377e904b6e82ccfcbe4e16657035457271bf120703fc4b1e55979f8ee476b8f7d10f8603d9d5f4deecd2eacb79af9e67e5e06b7ae40de1beddf07129ee3

C:\Users\Admin\AppData\Roaming\nPedido-de-cotizacion.jar

MD5 f320885909e68bd534fb190dd36b8d17
SHA1 3e1996517744351c580728a8ff9ca18bd9bc579c
SHA256 087a4ea357c6298a1f9c86740171113d0aeacd8b6a0abe0d9652dff80accf432
SHA512 8bd32377e904b6e82ccfcbe4e16657035457271bf120703fc4b1e55979f8ee476b8f7d10f8603d9d5f4deecd2eacb79af9e67e5e06b7ae40de1beddf07129ee3

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 65a9331f551b21f19efc6f7a7a2c8e93
SHA1 625bc5d34f19483ab1175bf43f4d604e5f6dab08
SHA256 809fce916bfd221dc6edf30c520e9de974bb7063407a8c2425080ed91cc6934f
SHA512 950016eb9f2f91e79079f49c5eda4b40fe642125715f155b1b8548305a673310eb348a1bd02b2ce306eea92747d7a84c2eecbaf78b0a441d55607becc17de67b

memory/312-165-0x0000000001400000-0x0000000001401000-memory.dmp

memory/312-166-0x0000000001400000-0x0000000001401000-memory.dmp