Malware Analysis Report

2024-12-07 20:40

Sample ID 230712-g5gq6scb85
Target Bestellung-ORUCGmbH.jar
SHA256 6073c3a906b1ae2333aaf85c00b624633f5cb4e188f385f0c1ac49a103beb2d7
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6073c3a906b1ae2333aaf85c00b624633f5cb4e188f385f0c1ac49a103beb2d7

Threat Level: Known bad

The file Bestellung-ORUCGmbH.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-12 06:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-12 06:23

Reported

2023-07-12 06:25

Platform

win7-20230703-en

Max time kernel

145s

Max time network

149s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Bestellung-ORUCGmbH.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bestellung-ORUCGmbH.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bestellung-ORUCGmbH = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Bestellung-ORUCGmbH.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bestellung-ORUCGmbH = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Bestellung-ORUCGmbH.jar\"" C:\Windows\system32\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2924 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2388 wrote to memory of 2924 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2388 wrote to memory of 2924 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2388 wrote to memory of 2116 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2388 wrote to memory of 2116 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2388 wrote to memory of 2116 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2924 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2924 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2924 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2116 wrote to memory of 1768 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 1768 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 1768 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1768 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1768 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1768 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2116 wrote to memory of 2052 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 2052 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 2052 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2052 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2052 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2116 wrote to memory of 2212 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 2212 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 2212 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2212 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2212 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2212 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2116 wrote to memory of 2748 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 2748 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 2748 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2748 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2748 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Bestellung-ORUCGmbH.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Bestellung-ORUCGmbH.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Bestellung-ORUCGmbH.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Bestellung-ORUCGmbH.jar"

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2388-63-0x0000000000320000-0x0000000000321000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bestellung-ORUCGmbH.jar

MD5 c5fc84892790404ad6fcec27ad3ea505
SHA1 8cae8fd7e353b6203fceefd2745b6a4e2b8ce16f
SHA256 6073c3a906b1ae2333aaf85c00b624633f5cb4e188f385f0c1ac49a103beb2d7
SHA512 f0ccde487f3a5ed004992125d5c78f2a086e3e0491a02b09b61ea4f4ae62cfea05f15495f742ed9d2b5a7c495db746d464e1d58ed657a0fd6705ee7b615f9ce5

C:\Users\Admin\AppData\Roaming\Bestellung-ORUCGmbH.jar

MD5 c5fc84892790404ad6fcec27ad3ea505
SHA1 8cae8fd7e353b6203fceefd2745b6a4e2b8ce16f
SHA256 6073c3a906b1ae2333aaf85c00b624633f5cb4e188f385f0c1ac49a103beb2d7
SHA512 f0ccde487f3a5ed004992125d5c78f2a086e3e0491a02b09b61ea4f4ae62cfea05f15495f742ed9d2b5a7c495db746d464e1d58ed657a0fd6705ee7b615f9ce5

memory/2116-80-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2116-82-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2116-83-0x0000000000120000-0x0000000000121000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-12 06:23

Reported

2023-07-12 06:25

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Bestellung-ORUCGmbH.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bestellung-ORUCGmbH.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bestellung-ORUCGmbH = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Bestellung-ORUCGmbH.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bestellung-ORUCGmbH = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Bestellung-ORUCGmbH.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 3736 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 400 wrote to memory of 3736 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 400 wrote to memory of 1712 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 400 wrote to memory of 1712 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 3736 wrote to memory of 2680 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3736 wrote to memory of 2680 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 3476 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1712 wrote to memory of 3476 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3476 wrote to memory of 4780 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3476 wrote to memory of 4780 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1712 wrote to memory of 668 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1712 wrote to memory of 668 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 668 wrote to memory of 4188 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 668 wrote to memory of 4188 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1712 wrote to memory of 3336 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1712 wrote to memory of 3336 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 1320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3336 wrote to memory of 1320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1712 wrote to memory of 996 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1712 wrote to memory of 996 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 996 wrote to memory of 4684 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 996 wrote to memory of 4684 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Bestellung-ORUCGmbH.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Bestellung-ORUCGmbH.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Bestellung-ORUCGmbH.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Bestellung-ORUCGmbH.jar"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 212.140.147.194.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/400-143-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Bestellung-ORUCGmbH.jar

MD5 c5fc84892790404ad6fcec27ad3ea505
SHA1 8cae8fd7e353b6203fceefd2745b6a4e2b8ce16f
SHA256 6073c3a906b1ae2333aaf85c00b624633f5cb4e188f385f0c1ac49a103beb2d7
SHA512 f0ccde487f3a5ed004992125d5c78f2a086e3e0491a02b09b61ea4f4ae62cfea05f15495f742ed9d2b5a7c495db746d464e1d58ed657a0fd6705ee7b615f9ce5

memory/400-149-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Bestellung-ORUCGmbH.jar

MD5 c5fc84892790404ad6fcec27ad3ea505
SHA1 8cae8fd7e353b6203fceefd2745b6a4e2b8ce16f
SHA256 6073c3a906b1ae2333aaf85c00b624633f5cb4e188f385f0c1ac49a103beb2d7
SHA512 f0ccde487f3a5ed004992125d5c78f2a086e3e0491a02b09b61ea4f4ae62cfea05f15495f742ed9d2b5a7c495db746d464e1d58ed657a0fd6705ee7b615f9ce5

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 c0b21302f24002990f981bd76f1e3997
SHA1 9907c1b5950d4850b8f1ecc4bbddc2e3361f43f1
SHA256 2f083cde238dfd552efcf5e2c0375c08eaf6793e8a1aecc9aac52ea29a01b026
SHA512 b77deb82652fe426760c131273b441e84a55823bb2b54b8dd0b6d1e3c8ad00ded89f5c74483bd37cae8f062affc7050bb00983182ea476cb82da824ef2ecb54e

memory/1712-162-0x0000000002240000-0x0000000002241000-memory.dmp

memory/1712-167-0x0000000002240000-0x0000000002241000-memory.dmp