Malware Analysis Report

2024-12-07 20:47

Sample ID 230713-ge513sfd68
Target Angebotsanfrage.jar
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4

Threat Level: Known bad

The file Angebotsanfrage.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 05:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 05:44

Reported

2023-07-13 05:46

Platform

win7-20230712-en

Max time kernel

150s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Angebotsanfrage.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Angebotsanfrage = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Angebotsanfrage.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Angebotsanfrage = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Angebotsanfrage.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2016 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 2016 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 2016 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 2844 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2072 wrote to memory of 2844 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2072 wrote to memory of 2844 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2016 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2016 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2016 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 tcp

Files

memory/2072-63-0x0000000000320000-0x0000000000321000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Angebotsanfrage.jar

MD5 faca6e93d8a5c02606c8625e396d671a
SHA1 facef2a7e438285af6037c1c37b4e5eb1c41b54a
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
SHA512 617f23642637c7e9d16868cf81a5af97df4ebd1b5134c32447b9f7d1f23adf6dacd1a215f2b9f50eb0de999ea0b1a7f0559994268997dad66362a9af399c707a

C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar

MD5 faca6e93d8a5c02606c8625e396d671a
SHA1 facef2a7e438285af6037c1c37b4e5eb1c41b54a
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
SHA512 617f23642637c7e9d16868cf81a5af97df4ebd1b5134c32447b9f7d1f23adf6dacd1a215f2b9f50eb0de999ea0b1a7f0559994268997dad66362a9af399c707a

memory/2844-80-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-13 05:44

Reported

2023-07-13 05:46

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

154s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Angebotsanfrage.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Angebotsanfrage = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Angebotsanfrage.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Angebotsanfrage = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Angebotsanfrage.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/4328-143-0x0000000002950000-0x0000000002951000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Angebotsanfrage.jar

MD5 faca6e93d8a5c02606c8625e396d671a
SHA1 facef2a7e438285af6037c1c37b4e5eb1c41b54a
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
SHA512 617f23642637c7e9d16868cf81a5af97df4ebd1b5134c32447b9f7d1f23adf6dacd1a215f2b9f50eb0de999ea0b1a7f0559994268997dad66362a9af399c707a

C:\Users\Admin\AppData\Roaming\Angebotsanfrage.jar

MD5 faca6e93d8a5c02606c8625e396d671a
SHA1 facef2a7e438285af6037c1c37b4e5eb1c41b54a
SHA256 7ec876784f3dd0ae0fecdc23e3ec76fc7a61218dda76f805e62d1a3f87e9a1b4
SHA512 617f23642637c7e9d16868cf81a5af97df4ebd1b5134c32447b9f7d1f23adf6dacd1a215f2b9f50eb0de999ea0b1a7f0559994268997dad66362a9af399c707a

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 995196e2c9a5aec0802d6c969bf26298
SHA1 34ea94241534d3c79c1bcd98b0b4e1f038acbc39
SHA256 d8cb69245bb875653161f6d6256be51bff1361dcec4254c9d88ab16c759e9312
SHA512 859c2e791a957c2a57c835bbe6d85e04e9bd34f51002c60e880c585178e7380fc4762896a5170a94dcb85a91d0b199ae426635bab6851db86f438f093791c508

memory/3356-167-0x0000000002920000-0x0000000002921000-memory.dmp