Malware Analysis Report

2024-12-07 20:48

Sample ID 230718-hdhd3ahe3x
Target Upit-za-ponudom.jar
SHA256 bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16

Threat Level: Known bad

The file Upit-za-ponudom.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 06:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 06:37

Reported

2023-07-18 06:39

Platform

win7-20230712-en

Max time kernel

138s

Max time network

150s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Upit-za-ponudom.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Upit-za-ponudom.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\Upit-za-ponudom = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Upit-za-ponudom.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upit-za-ponudom = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Upit-za-ponudom.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2852 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2300 wrote to memory of 2852 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2300 wrote to memory of 2852 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2300 wrote to memory of 2760 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2300 wrote to memory of 2760 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2300 wrote to memory of 2760 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2852 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2852 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2852 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Upit-za-ponudom.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/2300-63-0x0000000002110000-0x0000000005110000-memory.dmp

memory/2300-64-0x0000000000220000-0x0000000000221000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Upit-za-ponudom.jar

MD5 1904ed0bd55ce5942ee95a85b55d2ef0
SHA1 65dd5b7c99f877aafc364a19ab6dc71ccefa1d4c
SHA256 bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16
SHA512 15e20650a826e514e9c81efafb35eacf2632cac134cbfe01f46fe64d8ff5bc48b5cadb69fc44db7008506bc03e4e13356e6cb27ce9561fda44cfc6c196e84270

C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar

MD5 1904ed0bd55ce5942ee95a85b55d2ef0
SHA1 65dd5b7c99f877aafc364a19ab6dc71ccefa1d4c
SHA256 bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16
SHA512 15e20650a826e514e9c81efafb35eacf2632cac134cbfe01f46fe64d8ff5bc48b5cadb69fc44db7008506bc03e4e13356e6cb27ce9561fda44cfc6c196e84270

memory/2760-97-0x0000000002180000-0x0000000005180000-memory.dmp

memory/2760-104-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2760-107-0x0000000002180000-0x0000000005180000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-18 06:37

Reported

2023-07-18 06:39

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

156s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Upit-za-ponudom.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Upit-za-ponudom.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upit-za-ponudom = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Upit-za-ponudom.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upit-za-ponudom = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Upit-za-ponudom.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Upit-za-ponudom.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp

Files

memory/676-135-0x0000000002550000-0x0000000003550000-memory.dmp

memory/676-144-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Upit-za-ponudom.jar

MD5 1904ed0bd55ce5942ee95a85b55d2ef0
SHA1 65dd5b7c99f877aafc364a19ab6dc71ccefa1d4c
SHA256 bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16
SHA512 15e20650a826e514e9c81efafb35eacf2632cac134cbfe01f46fe64d8ff5bc48b5cadb69fc44db7008506bc03e4e13356e6cb27ce9561fda44cfc6c196e84270

memory/676-158-0x00000000027D0000-0x00000000027E0000-memory.dmp

memory/676-157-0x0000000002550000-0x0000000003550000-memory.dmp

memory/676-159-0x00000000027E0000-0x00000000027F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar

MD5 1904ed0bd55ce5942ee95a85b55d2ef0
SHA1 65dd5b7c99f877aafc364a19ab6dc71ccefa1d4c
SHA256 bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16
SHA512 15e20650a826e514e9c81efafb35eacf2632cac134cbfe01f46fe64d8ff5bc48b5cadb69fc44db7008506bc03e4e13356e6cb27ce9561fda44cfc6c196e84270

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 1a86c04f66a646a40a82eb0da005196e
SHA1 fb5039785c366f347245cb8f6b0e66b5c0d1b851
SHA256 5724fcd189faa2b5177ff49313cde2cf9fa04ac4bc06bea74a0c308352cf4c85
SHA512 f36983cd556a6e75c4be76cf9390b86370fd422084ea0967ca29181c60bb837d3ddc161ac87c404aa258160b7cef148b4b651bcd52ef135ac5e50d1a74d7047b

memory/1136-172-0x0000000002A20000-0x0000000003A20000-memory.dmp

memory/1136-173-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/1136-179-0x0000000002A20000-0x0000000003A20000-memory.dmp

memory/1136-180-0x0000000002A20000-0x0000000003A20000-memory.dmp

memory/676-181-0x0000000002550000-0x0000000003550000-memory.dmp

memory/1136-182-0x0000000002A20000-0x0000000003A20000-memory.dmp

memory/1136-183-0x0000000002A20000-0x0000000003A20000-memory.dmp

memory/1136-184-0x0000000002A20000-0x0000000003A20000-memory.dmp