Malware Analysis Report

2024-12-07 20:47

Sample ID 230709-j8b17scc7s
Target PaymentAdvicejarjarjarjar.jar
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc

Threat Level: Known bad

The file PaymentAdvicejarjarjarjar.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-09 08:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-09 08:19

Reported

2023-07-09 08:22

Platform

win7-20230703-en

Max time kernel

156s

Max time network

149s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjarjar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjarjar.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjarjar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjarjar.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjarjar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjarjar.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 1968 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 1968 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 1968 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 2160 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1236 wrote to memory of 2160 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1236 wrote to memory of 2160 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1968 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1968 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1968 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjarjar.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjarjar.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjarjar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjarjar.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp

Files

memory/1236-63-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1236-64-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1236-82-0x0000000000120000-0x0000000000121000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjarjar.jar

MD5 233289b050dbef1acab4575d172f4108
SHA1 ca1d2bb3798673e394d3989c883ca6cae4f398cc
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
SHA512 d30c33ed3f0465cb0fcd3726455452cdd8dc11eb385556a516b4a1457236f0cbdc9dfb05d775aa673eba2051ef26b1fb81a0a4ce270cdae6c6a92db958280bd1

C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjarjar.jar

MD5 233289b050dbef1acab4575d172f4108
SHA1 ca1d2bb3798673e394d3989c883ca6cae4f398cc
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
SHA512 d30c33ed3f0465cb0fcd3726455452cdd8dc11eb385556a516b4a1457236f0cbdc9dfb05d775aa673eba2051ef26b1fb81a0a4ce270cdae6c6a92db958280bd1

memory/2160-108-0x0000000001B60000-0x0000000001B61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-09 08:19

Reported

2023-07-09 08:22

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjarjar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjarjar.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjarjar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjarjar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjarjar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjarjar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjarjar.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjarjar.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjarjar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjarjar.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
N/A 127.0.0.1:1243 tcp
US 79.110.49.161:1243 efcc.duckdns.org tcp
N/A 127.0.0.1:1243 tcp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/4124-146-0x0000000001060000-0x0000000001061000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PaymentAdvicejarjarjarjar.jar

MD5 233289b050dbef1acab4575d172f4108
SHA1 ca1d2bb3798673e394d3989c883ca6cae4f398cc
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
SHA512 d30c33ed3f0465cb0fcd3726455452cdd8dc11eb385556a516b4a1457236f0cbdc9dfb05d775aa673eba2051ef26b1fb81a0a4ce270cdae6c6a92db958280bd1

memory/4124-152-0x0000000001060000-0x0000000001061000-memory.dmp

C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjarjar.jar

MD5 233289b050dbef1acab4575d172f4108
SHA1 ca1d2bb3798673e394d3989c883ca6cae4f398cc
SHA256 80af6e8d6151329f83f063fe1162c41642af8d7b60808bbb1019ba2bccb29ebc
SHA512 d30c33ed3f0465cb0fcd3726455452cdd8dc11eb385556a516b4a1457236f0cbdc9dfb05d775aa673eba2051ef26b1fb81a0a4ce270cdae6c6a92db958280bd1

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 bfce8cfa096dd06cda85a33b2964c991
SHA1 044f91d05641713c62cdd5e03eb30bb89a45516a
SHA256 9fb47a95f22ed8d32016588fa5f0ff8152d28da2da62386556f4ffd9914e4625
SHA512 d64b1fd54bfed25adfb4b2fec29a902aa9952eda1d9e30b227b5f8bacb0cc0779cc019e2445f159fdd4ada85d71e0129dd024630647590ae4509fc019b2c2ef4

memory/2744-165-0x0000000000ED0000-0x0000000000ED1000-memory.dmp