Malware Analysis Report

2024-12-07 20:47

Sample ID 230718-evs1cagc43
Target PaymentAdvice.jar
SHA256 8b235767d5a49ed7fdcdc6964f6c0f2cd9b389e4f9de7121814c9947796ccf28
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b235767d5a49ed7fdcdc6964f6c0f2cd9b389e4f9de7121814c9947796ccf28

Threat Level: Known bad

The file PaymentAdvice.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 04:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 04:16

Reported

2023-07-18 04:18

Platform

win7-20230712-en

Max time kernel

121s

Max time network

124s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvice.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvice.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\PaymentAdvice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvice.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 1312 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 1312 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 1312 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1312 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1312 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1312 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2140 wrote to memory of 1344 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2140 wrote to memory of 1344 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2140 wrote to memory of 1344 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"

Network

N/A

Files

memory/2140-62-0x0000000002260000-0x0000000005260000-memory.dmp

memory/2140-64-0x0000000000220000-0x0000000000221000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvice.jar

MD5 26da342748aa3edf5a5cd07053bf2a13
SHA1 1494b07921135f27ddac809c4d3eccc44ec1b857
SHA256 8b235767d5a49ed7fdcdc6964f6c0f2cd9b389e4f9de7121814c9947796ccf28
SHA512 163466911525bc7f2e7dccd14355e86d2a5a9e658c8ca169b99a9688fb0506d7063d73cfc2b044910869e0fede0c8e8bb1d456329f09957357e63ec8d8189af8

C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar

MD5 26da342748aa3edf5a5cd07053bf2a13
SHA1 1494b07921135f27ddac809c4d3eccc44ec1b857
SHA256 8b235767d5a49ed7fdcdc6964f6c0f2cd9b389e4f9de7121814c9947796ccf28
SHA512 163466911525bc7f2e7dccd14355e86d2a5a9e658c8ca169b99a9688fb0506d7063d73cfc2b044910869e0fede0c8e8bb1d456329f09957357e63ec8d8189af8

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-18 04:16

Reported

2023-07-18 04:18

Platform

win10v2004-20230703-en

Max time kernel

14s

Max time network

70s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.jar

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp

Files

memory/4408-135-0x0000000003360000-0x0000000004360000-memory.dmp

memory/4408-144-0x0000000001600000-0x0000000001601000-memory.dmp