Malware Analysis Report

2024-12-07 20:40

Sample ID 230709-j74d3acc6y
Target PO7623jarjarjarjarjarjarj.jar
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a

Threat Level: Known bad

The file PO7623jarjarjarjarjarjarj.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-09 08:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-09 08:19

Reported

2023-07-09 08:22

Platform

win7-20230703-en

Max time kernel

72s

Max time network

76s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PO7623jarjarjarjarjarjarj.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO7623jarjarjarjarjarjarj.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO7623jarjarjarjarjarjarj = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PO7623jarjarjarjarjarjarj.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO7623jarjarjarjarjarjarj = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PO7623jarjarjarjarjarjarj.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 1972 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 1972 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 1972 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 1400 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1340 wrote to memory of 1400 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1340 wrote to memory of 1400 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1972 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1972 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1972 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PO7623jarjarjarjarjarjarj.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PO7623jarjarjarjarjarjarj.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PO7623jarjarjarjarjarjarj.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PO7623jarjarjarjarjarjarj.jar"

Network

Country Destination Domain Proto
US 192.229.211.108:80 tcp

Files

memory/1340-63-0x0000000000120000-0x0000000000121000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PO7623jarjarjarjarjarjarj.jar

MD5 0e3fdb5b619f6a39b6a6ea16cd930c97
SHA1 43a992927b4019290c7ce11fa0d8f4ac0913c063
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
SHA512 811dd76df42c9f8f290ffe0ae4c16963c62ff285fe68500c23292f36516e2beb90a152b567593e32e2f30b7c678fac89aab1b274e6c8376c96f7ee8c463b1ff7

C:\Users\Admin\AppData\Roaming\PO7623jarjarjarjarjarjarj.jar

MD5 0e3fdb5b619f6a39b6a6ea16cd930c97
SHA1 43a992927b4019290c7ce11fa0d8f4ac0913c063
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
SHA512 811dd76df42c9f8f290ffe0ae4c16963c62ff285fe68500c23292f36516e2beb90a152b567593e32e2f30b7c678fac89aab1b274e6c8376c96f7ee8c463b1ff7

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-09 08:19

Reported

2023-07-09 08:22

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PO7623jarjarjarjarjarjarj.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO7623jarjarjarjarjarjarj.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO7623jarjarjarjarjarjarj = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PO7623jarjarjarjarjarjarj.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO7623jarjarjarjarjarjarj = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PO7623jarjarjarjarjarjarj.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PO7623jarjarjarjarjarjarj.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PO7623jarjarjarjarjarjarj.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PO7623jarjarjarjarjarjarj.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PO7623jarjarjarjarjarjarj.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.133.241.8.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/3012-143-0x0000000001140000-0x0000000001141000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PO7623jarjarjarjarjarjarj.jar

MD5 0e3fdb5b619f6a39b6a6ea16cd930c97
SHA1 43a992927b4019290c7ce11fa0d8f4ac0913c063
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
SHA512 811dd76df42c9f8f290ffe0ae4c16963c62ff285fe68500c23292f36516e2beb90a152b567593e32e2f30b7c678fac89aab1b274e6c8376c96f7ee8c463b1ff7

C:\Users\Admin\AppData\Roaming\PO7623jarjarjarjarjarjarj.jar

MD5 0e3fdb5b619f6a39b6a6ea16cd930c97
SHA1 43a992927b4019290c7ce11fa0d8f4ac0913c063
SHA256 3bc3579f84354fe3b51fd60254362bb523a76beb34adb1fa1cedd2b34dfbb61a
SHA512 811dd76df42c9f8f290ffe0ae4c16963c62ff285fe68500c23292f36516e2beb90a152b567593e32e2f30b7c678fac89aab1b274e6c8376c96f7ee8c463b1ff7

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 bd23a0c9c41dbfe87855f6f5032c7771
SHA1 ad3d96dec10c5791f7874f8315c2382e56bb0fea
SHA256 d5e47eb34eaee3262cf1a9e1340f4f1634bd72a7f9a91a64dee6cd08caa632a5
SHA512 e54f1f79bd986e6a223cbdfdead504800031da065e179ba28c88ec3564be48113fa248ef889deb13ec2a77c81d75343d8b006fbfcf72d5c25150b3c8744a1356

memory/4256-165-0x0000000000E40000-0x0000000000E41000-memory.dmp