Analysis Overview
SHA256
bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16
Threat Level: Known bad
The file Upit-za-ponudom.jar was found to be: Known bad.
Malicious Activity Summary
STRRAT
Drops startup file
Adds Run key to start application
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-18 06:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-18 06:37
Reported
2023-07-18 06:39
Platform
win7-20230712-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Upit-za-ponudom.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\Upit-za-ponudom = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Upit-za-ponudom.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upit-za-ponudom = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Upit-za-ponudom.jar\"" | C:\Windows\system32\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 2852 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2300 wrote to memory of 2852 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2300 wrote to memory of 2852 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2300 wrote to memory of 2760 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2300 wrote to memory of 2760 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2300 wrote to memory of 2760 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2852 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2852 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2852 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Upit-za-ponudom.jar
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
Files
memory/2300-63-0x0000000002110000-0x0000000005110000-memory.dmp
memory/2300-64-0x0000000000220000-0x0000000000221000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Upit-za-ponudom.jar
| MD5 | 1904ed0bd55ce5942ee95a85b55d2ef0 |
| SHA1 | 65dd5b7c99f877aafc364a19ab6dc71ccefa1d4c |
| SHA256 | bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16 |
| SHA512 | 15e20650a826e514e9c81efafb35eacf2632cac134cbfe01f46fe64d8ff5bc48b5cadb69fc44db7008506bc03e4e13356e6cb27ce9561fda44cfc6c196e84270 |
C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar
| MD5 | 1904ed0bd55ce5942ee95a85b55d2ef0 |
| SHA1 | 65dd5b7c99f877aafc364a19ab6dc71ccefa1d4c |
| SHA256 | bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16 |
| SHA512 | 15e20650a826e514e9c81efafb35eacf2632cac134cbfe01f46fe64d8ff5bc48b5cadb69fc44db7008506bc03e4e13356e6cb27ce9561fda44cfc6c196e84270 |
memory/2760-97-0x0000000002180000-0x0000000005180000-memory.dmp
memory/2760-104-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2760-107-0x0000000002180000-0x0000000005180000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-18 06:37
Reported
2023-07-18 06:39
Platform
win10v2004-20230703-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Upit-za-ponudom.jar | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upit-za-ponudom = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Upit-za-ponudom.jar\"" | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upit-za-ponudom = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Upit-za-ponudom.jar\"" | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 676 wrote to memory of 220 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 676 wrote to memory of 220 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 676 wrote to memory of 1136 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 676 wrote to memory of 1136 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 220 wrote to memory of 4700 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 220 wrote to memory of 4700 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Upit-za-ponudom.jar
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
Files
memory/676-135-0x0000000002550000-0x0000000003550000-memory.dmp
memory/676-144-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Upit-za-ponudom.jar
| MD5 | 1904ed0bd55ce5942ee95a85b55d2ef0 |
| SHA1 | 65dd5b7c99f877aafc364a19ab6dc71ccefa1d4c |
| SHA256 | bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16 |
| SHA512 | 15e20650a826e514e9c81efafb35eacf2632cac134cbfe01f46fe64d8ff5bc48b5cadb69fc44db7008506bc03e4e13356e6cb27ce9561fda44cfc6c196e84270 |
memory/676-158-0x00000000027D0000-0x00000000027E0000-memory.dmp
memory/676-157-0x0000000002550000-0x0000000003550000-memory.dmp
memory/676-159-0x00000000027E0000-0x00000000027F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Upit-za-ponudom.jar
| MD5 | 1904ed0bd55ce5942ee95a85b55d2ef0 |
| SHA1 | 65dd5b7c99f877aafc364a19ab6dc71ccefa1d4c |
| SHA256 | bd746671977b6b14234f2e00ab0a9c71e31f849a26a70a9266246e84bd83cc16 |
| SHA512 | 15e20650a826e514e9c81efafb35eacf2632cac134cbfe01f46fe64d8ff5bc48b5cadb69fc44db7008506bc03e4e13356e6cb27ce9561fda44cfc6c196e84270 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 1a86c04f66a646a40a82eb0da005196e |
| SHA1 | fb5039785c366f347245cb8f6b0e66b5c0d1b851 |
| SHA256 | 5724fcd189faa2b5177ff49313cde2cf9fa04ac4bc06bea74a0c308352cf4c85 |
| SHA512 | f36983cd556a6e75c4be76cf9390b86370fd422084ea0967ca29181c60bb837d3ddc161ac87c404aa258160b7cef148b4b651bcd52ef135ac5e50d1a74d7047b |
memory/1136-172-0x0000000002A20000-0x0000000003A20000-memory.dmp
memory/1136-173-0x0000000000D80000-0x0000000000D81000-memory.dmp
memory/1136-179-0x0000000002A20000-0x0000000003A20000-memory.dmp
memory/1136-180-0x0000000002A20000-0x0000000003A20000-memory.dmp
memory/676-181-0x0000000002550000-0x0000000003550000-memory.dmp
memory/1136-182-0x0000000002A20000-0x0000000003A20000-memory.dmp
memory/1136-183-0x0000000002A20000-0x0000000003A20000-memory.dmp
memory/1136-184-0x0000000002A20000-0x0000000003A20000-memory.dmp