Malware Analysis Report

2024-12-07 20:40

Sample ID 230706-l9ke3sbc8w
Target Attachment.jar
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a

Threat Level: Known bad

The file Attachment.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-06 10:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-06 10:13

Reported

2023-07-06 10:16

Platform

win7-20230705-en

Max time kernel

138s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Attachment.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Attachment.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\Attachment = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Attachment.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Attachment = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Attachment.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2068 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2068 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2068 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 1844 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2648 wrote to memory of 1844 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2648 wrote to memory of 1844 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2068 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2068 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2068 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Attachment.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Attachment.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Attachment.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Attachment.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp

Files

memory/2648-63-0x00000000000B0000-0x00000000000B1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Attachment.jar

MD5 0e3fdb5b619f6a39b6a6ea16cd930c97
SHA1 43a992927b4019290c7ce11fa0d8f4ac0913c063
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
SHA512 811dd76df42c9f8f290ffe0ae4c16963c62ff285fe68500c23292f36516e2beb90a152b567593e32e2f30b7c678fac89aab1b274e6c8376c96f7ee8c463b1ff7

C:\Users\Admin\AppData\Roaming\Attachment.jar

MD5 0e3fdb5b619f6a39b6a6ea16cd930c97
SHA1 43a992927b4019290c7ce11fa0d8f4ac0913c063
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
SHA512 811dd76df42c9f8f290ffe0ae4c16963c62ff285fe68500c23292f36516e2beb90a152b567593e32e2f30b7c678fac89aab1b274e6c8376c96f7ee8c463b1ff7

memory/1844-80-0x0000000000420000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-06 10:13

Reported

2023-07-06 10:16

Platform

win10v2004-20230703-en

Max time kernel

158s

Max time network

162s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Attachment.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Attachment.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Attachment = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Attachment.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Attachment = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Attachment.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Attachment.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Attachment.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Attachment.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Attachment.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp

Files

memory/4520-144-0x00000000009B0000-0x00000000009B1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Attachment.jar

MD5 0e3fdb5b619f6a39b6a6ea16cd930c97
SHA1 43a992927b4019290c7ce11fa0d8f4ac0913c063
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
SHA512 811dd76df42c9f8f290ffe0ae4c16963c62ff285fe68500c23292f36516e2beb90a152b567593e32e2f30b7c678fac89aab1b274e6c8376c96f7ee8c463b1ff7

C:\Users\Admin\AppData\Roaming\Attachment.jar

MD5 0e3fdb5b619f6a39b6a6ea16cd930c97
SHA1 43a992927b4019290c7ce11fa0d8f4ac0913c063
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
SHA512 811dd76df42c9f8f290ffe0ae4c16963c62ff285fe68500c23292f36516e2beb90a152b567593e32e2f30b7c678fac89aab1b274e6c8376c96f7ee8c463b1ff7

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 3dc2f0db64871c2929f61871f13b962d
SHA1 82fbb5b50524df0bbadfcf29fd2fe2366e3d6dcd
SHA256 74459cda4916f7d047545aa1d0aca7ade70a5bc376dd6faccee770703eea8e83
SHA512 3f8cfc3a04565bf56c89d1db939f856032162f0eba57d01803133ff300edd85e3eb16d3809bd7408e6e9a480992e8f360d6256ab818e2507bc65a9c6674a00c9

memory/3456-165-0x0000000002F20000-0x0000000002F21000-memory.dmp