Malware Analysis Report

2024-12-07 20:41

Sample ID 230706-gfp19aae3t
Target Cotizaciones.jar
SHA256 760e559a3535b27d012b29e4c44767e7261e7a29f45b78189196d85b25876b5e
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

760e559a3535b27d012b29e4c44767e7261e7a29f45b78189196d85b25876b5e

Threat Level: Known bad

The file Cotizaciones.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Drops file in System32 directory

Checks processor information in registry

Enumerates system info in registry

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-06 05:45

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-06 05:45

Reported

2023-07-06 05:47

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Cotizaciones.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cotizaciones.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotizaciones = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Cotizaciones.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotizaciones = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Cotizaciones.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3A4E4E29-20CA-4616-8E52-90359A7C4073}.catalogItem C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Cotizaciones.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Cotizaciones.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Cotizaciones.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Cotizaciones.jar"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.129.241.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/4816-143-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Cotizaciones.jar

MD5 70a0aefb832e99006ed06844554ff498
SHA1 eefeee9919557f65474c7c01d11f900aba1c0f31
SHA256 760e559a3535b27d012b29e4c44767e7261e7a29f45b78189196d85b25876b5e
SHA512 8adfa7e91e312cfcaef15e7da66fee7a3a19a8054ff813432702fc5cf29c60c634e8127e41c6a5ad0d8530f58ba9fc01cf6d403bf1456b7e9d498f766aa2c3c8

C:\Users\Admin\AppData\Roaming\Cotizaciones.jar

MD5 70a0aefb832e99006ed06844554ff498
SHA1 eefeee9919557f65474c7c01d11f900aba1c0f31
SHA256 760e559a3535b27d012b29e4c44767e7261e7a29f45b78189196d85b25876b5e
SHA512 8adfa7e91e312cfcaef15e7da66fee7a3a19a8054ff813432702fc5cf29c60c634e8127e41c6a5ad0d8530f58ba9fc01cf6d403bf1456b7e9d498f766aa2c3c8

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 9a6aba2b144c3cfc7d820da5c8cfc8a9
SHA1 8c8fb35d439af1cd843c1a3581256d5c9bcc0299
SHA256 e7b5056b395946d6dc8e74155d9fb2ba6d0f2133554a1448e96d47b94e3e5a9c
SHA512 783d84f2149cdbde79eb40cad25be9491430e73a69caa1c33bf02fe094b5dd823b175cc868c1f627df0bc788f933ed1f3c55a982072894e06b540dfcb392ff7f

memory/5016-164-0x0000000001360000-0x0000000001361000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-06 05:45

Reported

2023-07-06 05:47

Platform

win7-20230703-en

Max time kernel

149s

Max time network

154s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Cotizaciones.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cotizaciones.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cotizaciones = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Cotizaciones.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotizaciones = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Cotizaciones.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2312 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2312 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2312 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2120 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1352 wrote to memory of 2120 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1352 wrote to memory of 2120 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2312 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2312 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2312 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Cotizaciones.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Cotizaciones.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Cotizaciones.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Cotizaciones.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp

Files

memory/1352-63-0x0000000000130000-0x0000000000131000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Cotizaciones.jar

MD5 70a0aefb832e99006ed06844554ff498
SHA1 eefeee9919557f65474c7c01d11f900aba1c0f31
SHA256 760e559a3535b27d012b29e4c44767e7261e7a29f45b78189196d85b25876b5e
SHA512 8adfa7e91e312cfcaef15e7da66fee7a3a19a8054ff813432702fc5cf29c60c634e8127e41c6a5ad0d8530f58ba9fc01cf6d403bf1456b7e9d498f766aa2c3c8

C:\Users\Admin\AppData\Roaming\Cotizaciones.jar

MD5 70a0aefb832e99006ed06844554ff498
SHA1 eefeee9919557f65474c7c01d11f900aba1c0f31
SHA256 760e559a3535b27d012b29e4c44767e7261e7a29f45b78189196d85b25876b5e
SHA512 8adfa7e91e312cfcaef15e7da66fee7a3a19a8054ff813432702fc5cf29c60c634e8127e41c6a5ad0d8530f58ba9fc01cf6d403bf1456b7e9d498f766aa2c3c8

memory/2120-80-0x0000000000130000-0x0000000000131000-memory.dmp