Malware Analysis Report

2024-12-07 20:47

Sample ID 230713-e4xd5agc9s
Target Angebotsanfrage.jar
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4

Threat Level: Known bad

The file Angebotsanfrage.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 04:30

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-13 04:30

Reported

2023-07-13 04:32

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Angebotsanfrage.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Angebotsanfrage = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Angebotsanfrage.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Angebotsanfrage = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Angebotsanfrage.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 254.209.247.8.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Angebotsanfrage.jar

MD5 faca6e93d8a5c02606c8625e396d671a
SHA1 facef2a7e438285af6037c1c37b4e5eb1c41b54a
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
SHA512 617f23642637c7e9d16868cf81a5af97df4ebd1b5134c32447b9f7d1f23adf6dacd1a215f2b9f50eb0de999ea0b1a7f0559994268997dad66362a9af399c707a

memory/4060-151-0x0000000002050000-0x0000000002051000-memory.dmp

C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar

MD5 faca6e93d8a5c02606c8625e396d671a
SHA1 facef2a7e438285af6037c1c37b4e5eb1c41b54a
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
SHA512 617f23642637c7e9d16868cf81a5af97df4ebd1b5134c32447b9f7d1f23adf6dacd1a215f2b9f50eb0de999ea0b1a7f0559994268997dad66362a9af399c707a

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 6040801feeed4814cb2eb165ce2b2f64
SHA1 04ed68a057fe74342239cd2b43cd9f3217ab7537
SHA256 b85b8caf0502d01bd21079770039c66ef8a454d72622935f1595b5026d494b25
SHA512 eb1820076dce683e9f5701bc38cf8b6219fa3cf494fd409b8abb36492aa06b6049017454ef39f95c354f2b59e7ca7a9b3480658f56c6f582a6b1c8b07aae5652

memory/3928-167-0x0000000002860000-0x0000000002861000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 04:30

Reported

2023-07-13 04:32

Platform

win7-20230712-en

Max time kernel

122s

Max time network

125s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Angebotsanfrage.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Angebotsanfrage = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Angebotsanfrage.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\Angebotsanfrage = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Angebotsanfrage.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 3048 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 3048 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 3048 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 2416 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2296 wrote to memory of 2416 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2296 wrote to memory of 2416 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 3048 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3048 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3048 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

Network

N/A

Files

memory/2296-63-0x0000000000320000-0x0000000000321000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Angebotsanfrage.jar

MD5 faca6e93d8a5c02606c8625e396d671a
SHA1 facef2a7e438285af6037c1c37b4e5eb1c41b54a
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
SHA512 617f23642637c7e9d16868cf81a5af97df4ebd1b5134c32447b9f7d1f23adf6dacd1a215f2b9f50eb0de999ea0b1a7f0559994268997dad66362a9af399c707a

C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar

MD5 faca6e93d8a5c02606c8625e396d671a
SHA1 facef2a7e438285af6037c1c37b4e5eb1c41b54a
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
SHA512 617f23642637c7e9d16868cf81a5af97df4ebd1b5134c32447b9f7d1f23adf6dacd1a215f2b9f50eb0de999ea0b1a7f0559994268997dad66362a9af399c707a

memory/2416-80-0x0000000000120000-0x0000000000121000-memory.dmp