Malware Analysis Report

2024-12-07 20:42

Sample ID 230708-kbamjsea9w
Target Payment_Advice.jar
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc

Threat Level: Known bad

The file Payment_Advice.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-08 08:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-08 08:25

Reported

2023-07-08 08:27

Platform

win7-20230703-en

Max time kernel

148s

Max time network

140s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Payment_Advice.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment_Advice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment_Advice.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment_Advice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment_Advice.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Payment_Advice.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp

Files

memory/2380-63-0x0000000000220000-0x0000000000221000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice.jar

MD5 233289b050dbef1acab4575d172f4108
SHA1 ca1d2bb3798673e394d3989c883ca6cae4f398cc
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
SHA512 d30c33ed3f0465cb0fcd3726455452cdd8dc11eb385556a516b4a1457236f0cbdc9dfb05d775aa673eba2051ef26b1fb81a0a4ce270cdae6c6a92db958280bd1

C:\Users\Admin\AppData\Roaming\Payment_Advice.jar

MD5 233289b050dbef1acab4575d172f4108
SHA1 ca1d2bb3798673e394d3989c883ca6cae4f398cc
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
SHA512 d30c33ed3f0465cb0fcd3726455452cdd8dc11eb385556a516b4a1457236f0cbdc9dfb05d775aa673eba2051ef26b1fb81a0a4ce270cdae6c6a92db958280bd1

memory/2272-80-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-08 08:25

Reported

2023-07-08 08:27

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

153s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Payment_Advice.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment_Advice = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment_Advice.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment_Advice = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment_Advice.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Payment_Advice.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp

Files

memory/1836-143-0x0000000000F80000-0x0000000000F81000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Payment_Advice.jar

MD5 233289b050dbef1acab4575d172f4108
SHA1 ca1d2bb3798673e394d3989c883ca6cae4f398cc
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
SHA512 d30c33ed3f0465cb0fcd3726455452cdd8dc11eb385556a516b4a1457236f0cbdc9dfb05d775aa673eba2051ef26b1fb81a0a4ce270cdae6c6a92db958280bd1

C:\Users\Admin\AppData\Roaming\Payment_Advice.jar

MD5 233289b050dbef1acab4575d172f4108
SHA1 ca1d2bb3798673e394d3989c883ca6cae4f398cc
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
SHA512 d30c33ed3f0465cb0fcd3726455452cdd8dc11eb385556a516b4a1457236f0cbdc9dfb05d775aa673eba2051ef26b1fb81a0a4ce270cdae6c6a92db958280bd1

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 08122380e91d26a8390ebb86812a74ae
SHA1 4eacf5e0562837d3d43fd40940f22d3cf78f42fe
SHA256 461619e82a8472f6d258eceb6a917a7599a464b9d8c5ee9cade97ed046276347
SHA512 84eafc942120cb3114cdbb7ff6bd976426b4818c02f5a928c6f3f1c7dd74c269fea78bee3af48f693efbbe27285fd56240cbedfbd345a7dcd9dc41508e096b87

memory/1564-163-0x0000000000730000-0x0000000000731000-memory.dmp

memory/1564-164-0x0000000000730000-0x0000000000731000-memory.dmp