Malware Analysis Report

2024-12-07 20:48

Sample ID 230712-g5gq6scb84
Target Payment_Advice.jar
SHA256 a8060270d19660291d043208190e2ada4cd5f3059976d16fa23f0993933933b4
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8060270d19660291d043208190e2ada4cd5f3059976d16fa23f0993933933b4

Threat Level: Known bad

The file Payment_Advice.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-12 06:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-12 06:23

Reported

2023-07-12 06:25

Platform

win7-20230705-en

Max time kernel

146s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Payment_Advice.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment_Advice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment_Advice.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment_Advice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment_Advice.jar\"" C:\Windows\system32\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2948 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 2948 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 2948 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 2908 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2276 wrote to memory of 2908 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2276 wrote to memory of 2908 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2948 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2948 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2948 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2908 wrote to memory of 2080 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2080 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2080 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2080 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2080 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2908 wrote to memory of 2964 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2964 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2964 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2964 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2964 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2964 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2908 wrote to memory of 2252 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2252 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2252 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2252 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2252 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2908 wrote to memory of 1732 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 1732 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 1732 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1732 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1732 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Payment_Advice.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2276-63-0x0000000000120000-0x0000000000121000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice.jar

MD5 74bc4b7a46e36302aa338043afce7f97
SHA1 17c4d5ddb35a85376865ef623cbdf60e21958e5f
SHA256 a8060270d19660291d043208190e2ada4cd5f3059976d16fa23f0993933933b4
SHA512 e886797be8a02088acd264604f07239730f3ef2c9c840e34e65e922ca92440e4c482972ca839b0710d0da87f17cc4a83b60f775dead062b76937261cb4c8be1b

C:\Users\Admin\AppData\Roaming\Payment_Advice.jar

MD5 74bc4b7a46e36302aa338043afce7f97
SHA1 17c4d5ddb35a85376865ef623cbdf60e21958e5f
SHA256 a8060270d19660291d043208190e2ada4cd5f3059976d16fa23f0993933933b4
SHA512 e886797be8a02088acd264604f07239730f3ef2c9c840e34e65e922ca92440e4c482972ca839b0710d0da87f17cc4a83b60f775dead062b76937261cb4c8be1b

memory/2908-80-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2908-82-0x0000000000320000-0x0000000000321000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-12 06:23

Reported

2023-07-12 06:25

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

155s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Payment_Advice.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment_Advice = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment_Advice.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment_Advice = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment_Advice.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 416 wrote to memory of 4624 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 416 wrote to memory of 4624 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 416 wrote to memory of 3932 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 416 wrote to memory of 3932 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 4624 wrote to memory of 4048 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4624 wrote to memory of 4048 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3932 wrote to memory of 2948 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3932 wrote to memory of 2948 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2948 wrote to memory of 1912 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2948 wrote to memory of 1912 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3932 wrote to memory of 1772 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3932 wrote to memory of 1772 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1772 wrote to memory of 4072 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1772 wrote to memory of 4072 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3932 wrote to memory of 4408 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3932 wrote to memory of 4408 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4408 wrote to memory of 1916 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4408 wrote to memory of 1916 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3932 wrote to memory of 2684 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3932 wrote to memory of 2684 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 1880 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2684 wrote to memory of 1880 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Payment_Advice.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment_Advice.jar"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
US 79.110.49.161:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 161.49.110.79.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp

Files

memory/416-143-0x0000000000730000-0x0000000000731000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Payment_Advice.jar

MD5 74bc4b7a46e36302aa338043afce7f97
SHA1 17c4d5ddb35a85376865ef623cbdf60e21958e5f
SHA256 a8060270d19660291d043208190e2ada4cd5f3059976d16fa23f0993933933b4
SHA512 e886797be8a02088acd264604f07239730f3ef2c9c840e34e65e922ca92440e4c482972ca839b0710d0da87f17cc4a83b60f775dead062b76937261cb4c8be1b

C:\Users\Admin\AppData\Roaming\Payment_Advice.jar

MD5 74bc4b7a46e36302aa338043afce7f97
SHA1 17c4d5ddb35a85376865ef623cbdf60e21958e5f
SHA256 a8060270d19660291d043208190e2ada4cd5f3059976d16fa23f0993933933b4
SHA512 e886797be8a02088acd264604f07239730f3ef2c9c840e34e65e922ca92440e4c482972ca839b0710d0da87f17cc4a83b60f775dead062b76937261cb4c8be1b

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 f05dc2d62ff64a32e40c5d9a1d294582
SHA1 b9cf7268d79965adb2318ce2088e4948eae32b3c
SHA256 43053512bd7455b03ffc0d32edc3d9d074d2a9c30196730a5ce0bd1648c5b756
SHA512 e357947189e3de30ef576bcc7f7040a23706a34718299d360383ee8c983375d3872aacd1d4e6b10c2c317c2d2fb66d472870984442a1fb9d8a33e0fe31a5fc3e

memory/3932-168-0x00000000023A0000-0x00000000023A1000-memory.dmp