Malware Analysis Report

2024-12-07 20:47

Sample ID 230704-qj3wysfa2y
Target PaymentAdvicejar.jar
SHA256 bd1248880dc8c8ddbf23ec2fbe6db2463251fc137d4efbcf827f100e5a413a2c
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd1248880dc8c8ddbf23ec2fbe6db2463251fc137d4efbcf827f100e5a413a2c

Threat Level: Known bad

The file PaymentAdvicejar.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-04 13:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-04 13:18

Reported

2023-07-04 13:21

Platform

win7-20230703-en

Max time kernel

69s

Max time network

38s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejar.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejar.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejar.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2924 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 2924 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 2924 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 2116 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2256 wrote to memory of 2116 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2256 wrote to memory of 2116 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2924 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2924 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2924 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejar.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejar.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejar.jar"

Network

N/A

Files

memory/2256-63-0x0000000000340000-0x0000000000341000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejar.jar

MD5 96e155635a6002564daf530fb8a7640d
SHA1 1f56272c46862b6ffa167a47d8d2346c26c7053c
SHA256 bd1248880dc8c8ddbf23ec2fbe6db2463251fc137d4efbcf827f100e5a413a2c
SHA512 2bc66a5175d2f9d39a574f4c88fcdb38ca155ea6af748b7649c2e0c929453d26183cf80f5a20225dedaa8b10c9eaf5465e7c406e71a710cae1e5dc47a9d970e7

C:\Users\Admin\AppData\Roaming\PaymentAdvicejar.jar

MD5 96e155635a6002564daf530fb8a7640d
SHA1 1f56272c46862b6ffa167a47d8d2346c26c7053c
SHA256 bd1248880dc8c8ddbf23ec2fbe6db2463251fc137d4efbcf827f100e5a413a2c
SHA512 2bc66a5175d2f9d39a574f4c88fcdb38ca155ea6af748b7649c2e0c929453d26183cf80f5a20225dedaa8b10c9eaf5465e7c406e71a710cae1e5dc47a9d970e7

memory/2116-79-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-04 13:18

Reported

2023-07-04 13:20

Platform

win10v2004-20230703-en

Max time kernel

146s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejar.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 1032 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4292 wrote to memory of 1032 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4292 wrote to memory of 3736 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 4292 wrote to memory of 3736 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 1032 wrote to memory of 3600 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1032 wrote to memory of 3600 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3736 wrote to memory of 2252 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3736 wrote to memory of 2252 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2252 wrote to memory of 3816 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2252 wrote to memory of 3816 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3736 wrote to memory of 4960 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3736 wrote to memory of 4960 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4960 wrote to memory of 4824 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4960 wrote to memory of 4824 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3736 wrote to memory of 2996 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3736 wrote to memory of 2996 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2996 wrote to memory of 3420 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2996 wrote to memory of 3420 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3736 wrote to memory of 2908 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3736 wrote to memory of 2908 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2908 wrote to memory of 472 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2908 wrote to memory of 472 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejar.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejar.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejar.jar"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 161.49.110.79.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp

Files

memory/4292-143-0x0000000000B70000-0x0000000000B71000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PaymentAdvicejar.jar

MD5 96e155635a6002564daf530fb8a7640d
SHA1 1f56272c46862b6ffa167a47d8d2346c26c7053c
SHA256 bd1248880dc8c8ddbf23ec2fbe6db2463251fc137d4efbcf827f100e5a413a2c
SHA512 2bc66a5175d2f9d39a574f4c88fcdb38ca155ea6af748b7649c2e0c929453d26183cf80f5a20225dedaa8b10c9eaf5465e7c406e71a710cae1e5dc47a9d970e7

C:\Users\Admin\AppData\Roaming\PaymentAdvicejar.jar

MD5 96e155635a6002564daf530fb8a7640d
SHA1 1f56272c46862b6ffa167a47d8d2346c26c7053c
SHA256 bd1248880dc8c8ddbf23ec2fbe6db2463251fc137d4efbcf827f100e5a413a2c
SHA512 2bc66a5175d2f9d39a574f4c88fcdb38ca155ea6af748b7649c2e0c929453d26183cf80f5a20225dedaa8b10c9eaf5465e7c406e71a710cae1e5dc47a9d970e7

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 9fd36d8d2ce7d2324180fb3509ed1a50
SHA1 7700a00a7055f1b62ddea19c5595e4e9f35451c0
SHA256 863a90e5f600ddc374db2bed540dc0912e47d1787695b15aa6f94042f8704586
SHA512 515036f40c876a887d696eb267f180938a49fc045bbe435d0c98970b824425ab95bb02bdb0f57de7bd25a610ddebfbbc4accec3b5ecd4a625e2d319b8a52555e

memory/3736-163-0x0000000000480000-0x0000000000481000-memory.dmp

memory/3736-165-0x0000000000480000-0x0000000000481000-memory.dmp